On 24/01/2022 11:13, lejeczek via FreeIPA-users wrote:
On 21/01/2022 23:09, Rob Crittenden wrote:
> lejeczek via FreeIPA-users wrote:
>> Hi guys
>>
>> I'm for the first time contemplating CA service from a public CA to
>> subordinate IPA to it - would it make sense with a *.sub.domain
>> cert, if
>> such one cert one already has from that public CA, to still want to sub
>> IPA's CA?
>>
>> (not a CA expert so go easy on me)
> I'm not quite sure I understand the question.
>
> I think what you're asking is: I have a wildcard cert from a public CA.
> Is that sufficient or should I get my IPA CA signed by the public CA?
>
> For the first question, maybe. You can replace the IPA web and LDAP
> certificates with the one from the public CA but it requires manual
> intervention at renewal and the more you share that key around the less
> secure it is in general.
>
> For the second question, I seriously doubt a public CA will sign an IPA
> CA because of policies. And if they did you'd need a small fortune to
> do it.
>
> rob
>
That is pretty much what I wondered of.
Now trying to that first thing with "maybe" IPA is not happy.
I've add Root CAs but:
-> $ ipa-server-certinstall -w -d private_key.key ssl_certificate.cer
Directory Manager password:
Enter private key unlock password:
cannot connect to 'https://sucker.private:443/acme/directory': [Errno
111] Connection refused
The ipa-server-certinstall command failed.
...
No KRA in this domain - is that why?
such I silly thing it did not cross my mind to check 'httpd', which
crashed.