Kristian Petersen wrote:
New but related question: Iff I just want to add new LDAP and HTTPS
certs (not replacing the current ones) I know that can be done. I read
an article from Florence Blanc-Renaud that mentions it, but I ran into
some errors and I'm trying to troubleshoot them. When I ran
ipa-server-certinstall and gave it the key I generated and the crt file
I got from Digicert it said the entire chain was not present. So then I
tried including the DigiCertCA.crt file as well, however, I got the same
result.
I next tried adding the DigiCert certificate to IPA
usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install
DigiCertCA.crt
This also failed giving an error that the cert was invalid because the
Peer's Certificate issuer was not recognized. Any thoughts about what I
might have missed?
You don't have the full chain. It can be tricky to find the whole list
even on CA's that make it relatively easy.
What you want to do is use a tool like openssl x509 to display the
subject and issuer:
openssl x509 -text -noout -in /path/to/cert
I'd start with the server cert you've been issued. Find a matching CA
cert where the subject of the CA cert matches the issuer on the server cert.
Then find another CA cert whose subject matches the issuer of the bottom
of the chain, and work upwards until you find a CA cert where the issuer
and subject match. Then you've found the root. That plus the other
matching CA certs is your chain.
I'll also note about the "add but not replace" the LDAP and Web certs.
There can only be one active. You can certainly use different physical
files and nicknames to store the new certs but only one set is active at
a time.
rob
On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Kristian Petersen via FreeIPA-users wrote:
> That outlines the options, but not why I should or shouldn't use
any of
> them. That is more of what I am looking for.
It's less benefit analysis and more forced by internal requirements.
Often an organization already has a CA and wants any additional CA's to
be subordinates.
The downsides of an external CA is some additional complexity.
Installation can be more difficult (users often have issues getting
their external CA to properly sign the IPA CSR), dealing with a longer
certificate chain and being bound by the expiration date of the
external CA.
rob
>
> On Fri, Oct 11, 2019 at 9:47 AM François Cami <fcami(a)redhat.com
<mailto:fcami@redhat.com>
> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> wrote:
>
> Hi,
>
> On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via
FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
> >
> > Hey y'all,
> >
> > What are the pros and cons of using and external or internal CA
> for FreeIPA/IdM? I am trying to decide which to do but having
> trouble finding a lot of info about why I would want to do one or
> the other.
>
> The choices are documented there:
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server
>
> François
>
> > Thanks in advance!
> >
> > --
> > Kristian Petersen
> > System Administrator
> > BYU Dept. of Chemistry and Biochemistry
> > _______________________________________________
> > FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
>
>
> --
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry