On ti, 28 elo 2018, Peter Tselios via FreeIPA-users wrote:
Hello,
I have a FreeIPA installation (4.5.4). There is a one-way trust with the ActiveDirectory
server.
We had setup 2 different CAs (one for the Linux domain and one for the
AD). However, the management decided to use only the AD CA, thus I need
to convert the FreeIPA CA to an AD subordinate CA. So, I am looking
for a way to replace the CA in the FreeIPA without re-installing it.
Is it possible?
If so, can you please point me to the correct documentation? (What I
found so far is for installation, not migration).
There is a tool
'ipa-cacert-manage' that allows to do changes of CA
certificates.
One of tests we have in FreeIPA is testing a switch of integrated CA to
an externally signed one:
https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_ex...
It is done in two steps:
1. Run 'ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs' to
generate a signing
request. Pass that CSR to AD CA to sign. See man page for the tool for
more options and details.
2. Run 'ipa-cacert-manage renew --external-cert-file=FILE` to provide
the resulting signed certificate back to IPA.
You'd need to experiment with the tool on a test setup to see how it
behaves and what is needed to properly go through the process.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland