[Freeipa-users] Re: Internal vs External CA

2019-10-18 Thread Rob Crittenden via FreeIPA-users
Kristian Petersen wrote: > OK I must have missed that and I think I have the root cert now.  I ran  > ipa-cacert-manage -n Digicert_Root -t C,, install > DigiCert_Global_Root_CA.crt > The message I got back said that this cert was installed successfully. > > So now I tried adding the others using

[Freeipa-users] Re: Internal vs External CA

2019-10-18 Thread Kristian Petersen via FreeIPA-users
OK I must have missed that and I think I have the root cert now. I ran ipa-cacert-manage -n Digicert_Root -t C,, install DigiCert_Global_Root_CA.crt The message I got back said that this cert was installed successfully. So now I tried adding the others using the same command as above (with a diff

[Freeipa-users] Re: Internal vs External CA

2019-10-15 Thread Kristian Petersen via FreeIPA-users
I tried attaching the files to my reply but that was rejected. So what is the best way to share them with you? On Tue, Oct 15, 2019 at 3:32 PM Rob Crittenden wrote: > Kristian Petersen via FreeIPA-users wrote: > > They aren't in one file. But the server cert's issuer is the subject of > > the

[Freeipa-users] Re: Internal vs External CA

2019-10-15 Thread Kristian Petersen via FreeIPA-users
I have attached the files to this response. On Tue, Oct 15, 2019 at 3:32 PM Rob Crittenden wrote: > Kristian Petersen via FreeIPA-users wrote: > > They aren't in one file. But the server cert's issuer is the subject of > > the DigiCert.crt file. I have already tried adding just the > > Digicer

[Freeipa-users] Re: Internal vs External CA

2019-10-15 Thread Rob Crittenden via FreeIPA-users
Kristian Petersen via FreeIPA-users wrote: > They aren't in one file.  But the server cert's issuer is the subject of > the DigiCert.crt file.  I have already tried adding just the > Digicert.crt file only to have it tell me it's Peer's Certificate isn't > trusted.  I don't even know what certifica

[Freeipa-users] Re: Internal vs External CA

2019-10-15 Thread Kristian Petersen via FreeIPA-users
They aren't in one file. But the server cert's issuer is the subject of the DigiCert.crt file. I have already tried adding just the Digicert.crt file only to have it tell me it's Peer's Certificate isn't trusted. I don't even know what certificate that is talking about. On Tue, Oct 15, 2019 at

[Freeipa-users] Re: Internal vs External CA

2019-10-15 Thread Rob Crittenden via FreeIPA-users
Kristian Petersen wrote: > Rob, > > After investigating the certs as you had suggested, I do have the whole > chain.  The server cert has as its issuer: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com > , CN = DigiCert SHA2 High Assurance Server CA > > And the D

[Freeipa-users] Re: Internal vs External CA

2019-10-14 Thread Kristian Petersen via FreeIPA-users
Rob, After investigating the certs as you had suggested, I do have the whole chain. The server cert has as its issuer: Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA And the DigiCert.crt file has as its issuer and subject: Issuer: C = US, O =

[Freeipa-users] Re: Internal vs External CA

2019-10-11 Thread Rob Crittenden via FreeIPA-users
Kristian Petersen wrote: > New but related question:  Iff I just want to add new LDAP and HTTPS > certs (not replacing the current ones) I know that can be done.  I read > an article from Florence Blanc-Renaud that mentions it, but I ran into > some errors and I'm trying to troubleshoot them. When

[Freeipa-users] Re: Internal vs External CA

2019-10-11 Thread Kristian Petersen via FreeIPA-users
New but related question: Iff I just want to add new LDAP and HTTPS certs (not replacing the current ones) I know that can be done. I read an article from Florence Blanc-Renaud that mentions it, but I ran into some errors and I'm trying to troubleshoot them. When I ran ipa-server-certinstall and

[Freeipa-users] Re: Internal vs External CA

2019-10-11 Thread Rob Crittenden via FreeIPA-users
Kristian Petersen via FreeIPA-users wrote: > That outlines the options, but not why I should or shouldn't use any of > them.  That is more of what I am looking for. It's less benefit analysis and more forced by internal requirements. Often an organization already has a CA and wants any additional

[Freeipa-users] Re: Internal vs External CA

2019-10-11 Thread Kristian Petersen via FreeIPA-users
That outlines the options, but not why I should or shouldn't use any of them. That is more of what I am looking for. On Fri, Oct 11, 2019 at 9:47 AM François Cami wrote: > Hi, > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via FreeIPA-users > wrote: > > > > Hey y'all, > > > > What are t

[Freeipa-users] Re: Internal vs External CA

2019-10-11 Thread François Cami via FreeIPA-users
Hi, On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via FreeIPA-users wrote: > > Hey y'all, > > What are the pros and cons of using and external or internal CA for > FreeIPA/IdM? I am trying to decide which to do but having trouble finding a > lot of info about why I would want to do one or