[Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation

Jan Cholasta jcholast at redhat.com
Tue Jan 19 06:24:03 UTC 2016 

On 18.1.2016 12:42, Martin Kosek wrote:
> On 01/18/2016 12:05 PM, Peter Pakos wrote:
>> On 18/01/2016 08:06, Martin Kosek wrote:
>>> I am hoping that this is well explained here:
>>>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options
>>>
>>>
>>> Some useful notes are also Dmitri Pal's blog post:
>>> http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/
>>
>> Thanks for the docs.
>>
>> I'm trying to get my head around this... if I have a working CA-ful FreeIPA
>> setup and then install 3rd party SSL certificates for HTTP/LDAP only (including
>> 3 root CA certs from the chain) - does this replace original self-signed CA
>> that FreeIPA generated (and becomes External CA install) or does CA stay
>> untouched and I can still take advantage of all the goodies that come with
>> CA-ful install like automatic certificates renewals (apart from HTTP/LDAP ones)?
>>
>> Or does this became a multi CA install?
>>
>> BTW, I can see that the root certificates are getting added to /etc/ipa/ca.crt.
>
> You should be still able to benefit from all the goodies the CA-ful FreeIPA
> has. As you noticed above, all root CA certs should be added to ca.crt (see
> help for ipa-certupdate tool), it is used to update certs on server/client and
> add the new CA certificates.
>
>>>> I'm also thinking ahead, when it comes to renewing certificates when they
>>>> expire in 1 year time, which install type would cause less problems?
>>>
>>> In CA-ful installation, client certificates or FreeIPA CA subsystem
>>> certificates should just renew automatically. In CA-less, you need to take care
>>> to renew them manually with your 3rd party certificate provider.
>>
>> So in my CA-ful install with 3rd party SSL certificate installed, how would the
>> renewal look?
>
> All certificates issued by FreeIPA CA should be renewed automatically by
> certmonger (if configured). External certificates should needs to be renewed
> manually. Honza, does certmonger already warns about non-IPA certificates that
> are getting close to expiration date or is this rather an RFE for future?

It's an RFE, covered by my "certmonger everywhere" proposal: 
<https://www.redhat.com/archives/freeipa-devel/2015-December/msg00475.html> 
(the part about uniform certmonger configuration).

>
>> I understand that I would have to install new HTTP/LDAP certificates manually
>> as they were signed by external CA, but would all certificates issued by
>> FreeIPA CA still renew automatically?
>
> They should, yes.
>
>>>> I've failed to find any useful info covering the above points, so if you know
>>>> anything, please just let me know.
>>>
>>> I think the important point is that even if you choose to install with CA-less
>>> for now, you can switch to CA-ful later via ipa-ca-install:
>>>
>>> http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
>>
>> Thank you, your help is much appreciated!
>>
>


-- 
Jan Cholasta

More information about the Freeipa-users mailing list