[Freeipa-users] Adding a cert post install

[David Christensen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob Crittenden wrote:
> David Christensen wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Rob Crittenden wrote:
>>> David Christensen wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> If freeIPA was installed and a CA signed cert was not used during the
>>>> install and instead the freeipa generated one was used, it is possible
>>>> to import one post install?
>>> There is a tool to do that, ipa-server-certinstall.
>>>
>>>> If not this is not possible or rather difficult, is it possible to
>>>> backup the freeIPA DB and import it after a new install to use the
>>>> legit
>>>> CA cert?
>>> It isn't too difficult to do but you have to understand the
>>> ramifications. When you create any replicas you'll need to provide two
>>> certificates for it (one for Apache and one for 389) in the form of
>>> PKCS#12 files and they need to be issued from the same CA as your other
>>> IPA servers (or they must already be trusted).
>>>
>>> You just have to be very careful, basically.
>>>
>>> rob
>>
>> Thanks for the info Rob.
>>
>> Does the same ramification exist using the ipa-server-certinstall tool
> 
> Yes, once you replace the self-signed CA you'll be responsible for
> providing all future certificates via PKCS#12 files and ensuring that
> the required CA certs will be available for trust purposes.
> 
> It isn't an overwhelming task but can be confusing for those new to SSL.
> 
> rob

Thanks for clarifying.  Can the tool be used on replicas?  I created a
replica for multimaster replication using the default install so I will
need to import the SSL cert for both ipa servers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpwZSUACgkQ5B+8XEnAvqtlJgCeMNJNNN4z9V/PnvJr6bnFMMnX
FhwAnA4gQpDuHEsa+14VoeWXAwod68YX
=7JRY
-----END PGP SIGNATURE-----