[Freeipa-users] Automatic IPA CA cert generation
Fraser Tweedale
ftweedal at redhat.com
Wed Sep 23 10:03:57 UTC 2015
On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote:
> On 22/09/15 17:02, James Masson wrote:
> >
> >Hi,
> >
> >we're building IPAs in an automated fashion, for environments that get
> >created and destroyed a lot. At the moment, the CA certs used inside
> >these IPAs are self-signed, as part of the normal "ipa-server-install"
> >setup process.
> >
> >We would like to switch to issuing signed intermediate CA certs to the
> >IPAs we deploy.
> >
> >The documentation lists the two part process necessary for this. First
> >"--external-ca" - and then "--external-cert-file"
> >
> >Are there any ways to skip this, and give the setup process a known
> >public/private key+cert up front? I'm hoping to avoid the need to have
> >to use/send this automatically generated CSR every time.
> >
> >thanks
> >
> >James M
> >
>
> Hello James,
> currently it's not possible but making installation with externally signed
> CA single step sounds really useful to me.
> Currently certmonger is generating the CSR for FreeIPA server in the first
> step of installation. Certmonger is also able to send certificate to
> external CA for signing.
>
> I'm not sure if we could combine these two cermonger's abilities right now
> but if not it shouldn't be difficult to add functionality to certmonger to
> send the CSR to preconfigured CA instead of just storing it in file.
>
> This would of course require configuring the certmonger with information
> about the CA before FreeIPA server installation but it's just one command
> (getcert-add-ca).
>
> Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
>
There are two sides to this - one is using Certmonger for automatic
signing of intermediate CA certificate to be used by IPA, the other
is simply using a CA cert that the administrator already possesses,
e.g. in a PKCS #12 file. These should be separate tickets.
Cheers,
Fraser
> --
> David Kupka
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list