Re: [Freeipa-users] Heads-up: Removing self-sign CA
Hi, On Tue, Mar 26, 2013 at 05:02:34PM +0100, Petr Viktorin wrote: We will soon be introducing a way to install IPA with custom certificates without a CA at all. When that is merged, it will no longer be possible to install a self-sign server. I see that the change in functionality is in line with generic unix principles, linux distros have already tools to create and manage own, self signed CA's. Yet from what I understand, this change will make all test setups more complicated. One has then by oneself to deploy an own CA (i.e. with the openssl tools) and have it sign the IPA cert. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Heads-up: Removing self-sign CA
On 03/28/2013 09:10 AM, Christian Horn wrote: Hi, On Tue, Mar 26, 2013 at 05:02:34PM +0100, Petr Viktorin wrote: We will soon be introducing a way to install IPA with custom certificates without a CA at all. When that is merged, it will no longer be possible to install a self-sign server. I see that the change in functionality is in line with generic unix principles, linux distros have already tools to create and manage own, self signed CA's. To clarify: this is about removing the --selfsign option to ipa-server-install, which installs a limited CA (for example, it doesn't support CA replication or cert-find). The default Dogtag CA also uses a self-signed certificate, but it's not affected by this change. The naming confusion is a small part of the reason why it's better to remove --selfsign. Yet from what I understand, this change will make all test setups more complicated. One has then by oneself to deploy an own CA (i.e. with the openssl tools) and have it sign the IPA cert. Use the default Dogtag CA for test setups. It will still use a self-signed CA certificate by default. -- PetrĀ³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Heads-up: Removing self-sign CA
On Thu, Mar 28, 2013 at 09:32:36AM +0100, Petr Viktorin wrote: To clarify: this is about removing the --selfsign option to ipa-server-install, which installs a limited CA (for example, it doesn't support CA replication or cert-find). The default Dogtag CA also uses a self-signed certificate, but it's not affected by this change. The naming confusion is a small part of the reason why it's better to remove --selfsign. Thanks, I see. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Heads-up: Removing self-sign CA
Hello list, FreeIPA's self-sign CA is a holdout from days where the our integration with a real CA wasn't that good. Also its name is confusing: the Dogtag CA also uses a self-signed certificate by default. We will soon be introducing a way to install IPA with custom certificates without a CA at all. When that is merged, it will no longer be possible to install a self-sign server. After that, the plan is to convert existing self-sign masters to CA-less on upgrade, and remove the self-sign code. On a CA-less master, IPA's cert commands will no longer be available and cert rotation will need to be done manually. Documentation on how to do this (using the existing self-signed CA cert) will be provided. -- PetrĀ³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users