We are in the process of switching to using an external CA. We have successfully gone through he process and indeed the Web UI now shows the expected certificate chain.
However when we issue certificates to our clients downstream they are using a signing certificate that was not issued by the new external CA. I've tried to find in the documentation how that gets set, but seem to be at a loss. Can anyone point me in the correct direction?
Thanks! Jeff
How are you issuing the certs for the clients? Are they signed by the same certificate chain that signed the IPA certificate? Did you install the CA certificate chain as trusted CA on the clients?
On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
We are in the process of switching to using an external CA. We have successfully gone through he process and indeed the Web UI now shows the expected certificate chain.
However when we issue certificates to our clients downstream they are using a signing certificate that was not issued by the new external CA. I've tried to find in the documentation how that gets set, but seem to be at a loss. Can anyone point me in the correct direction?
Thanks! Jeff
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
The certificates are being issued via ipa-getcert. The certificates we get back are signed with what looks to be the old "self-signed" IPA CA certificate. The CN is the same as the new one, but the serial / expiry and issuer is different than what IPA is using for its own web-ui.
On Wed, Jul 12, 2017 at 8:23 PM, Jatin Nansi jnansi@redhat.com wrote:
How are you issuing the certs for the clients? Are they signed by the same certificate chain that signed the IPA certificate? Did you install the CA certificate chain as trusted CA on the clients?
On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
We are in the process of switching to using an external CA. We have successfully gone through he process and indeed the Web UI now shows the expected certificate chain.
However when we issue certificates to our clients downstream they are using a signing certificate that was not issued by the new external CA. I've tried to find in the documentation how that gets set, but seem to be at a loss. Can anyone point me in the correct direction?
Thanks! Jeff
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
You can not use ipa-getcert to request / issue certificates from an external CA. Issuing certificates now needs to be managed by the external CA's tools. You should also disable the old CA from starting up on IPA server.
Jatin
On Thu, Jul 13, 2017 at 10:20 PM, Jeff Fouchard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The certificates are being issued via ipa-getcert. The certificates we get back are signed with what looks to be the old "self-signed" IPA CA certificate. The CN is the same as the new one, but the serial / expiry and issuer is different than what IPA is using for its own web-ui.
On Wed, Jul 12, 2017 at 8:23 PM, Jatin Nansi jnansi@redhat.com wrote:
How are you issuing the certs for the clients? Are they signed by the same certificate chain that signed the IPA certificate? Did you install the CA certificate chain as trusted CA on the clients?
On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
We are in the process of switching to using an external CA. We have successfully gone through he process and indeed the Web UI now shows the expected certificate chain.
However when we issue certificates to our clients downstream they are using a signing certificate that was not issued by the new external CA. I've tried to find in the documentation how that gets set, but seem to be at a loss. Can anyone point me in the correct direction?
Thanks! Jeff
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Jatin Nansi via FreeIPA-users wrote:
You can not use ipa-getcert to request / issue certificates from an external CA. Issuing certificates now needs to be managed by the external CA's tools. You should also disable the old CA from starting up on IPA server.
I guess it depends what the definition of external CA is. Was the IPA CA re-signed using an external CA or did you intend to drop the IPA CA entirely and depend on the remote CA?
For #1 then it is working as expected. The IPA CA is a subordinate CA to your remote so things should work fine.
For #2 then you can't use ipa-getcert[1] or ipa cert-request to manage the certificates.
rob
[1] Theoretically you could configure a CA for certmonger that would use the remote and assuming certmonger could talk to it then it should work. I'm not sure anyone has tried this before so you'd be walking on the edge.
Jatin
On Thu, Jul 13, 2017 at 10:20 PM, Jeff Fouchard via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
The certificates are being issued via ipa-getcert. The certificates we get back are signed with what looks to be the old "self-signed" IPA CA certificate. The CN is the same as the new one, but the serial / expiry and issuer is different than what IPA is using for its own web-ui. On Wed, Jul 12, 2017 at 8:23 PM, Jatin Nansi <jnansi@redhat.com <mailto:jnansi@redhat.com>> wrote: How are you issuing the certs for the clients? Are they signed by the same certificate chain that signed the IPA certificate? Did you install the CA certificate chain as trusted CA on the clients? On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: We are in the process of switching to using an external CA. We have successfully gone through he process and indeed the Web UI now shows the expected certificate chain. However when we issue certificates to our clients downstream they are using a signing certificate that was not issued by the new external CA. I've tried to find in the documentation how that gets set, but seem to be at a loss. Can anyone point me in the correct direction? Thanks! Jeff _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Thu, Jul 13, 2017 at 08:20:02AM -0400, Jeff Fouchard via FreeIPA-users wrote:
The certificates are being issued via ipa-getcert. The certificates we get back are signed with what looks to be the old "self-signed" IPA CA certificate. The CN is the same as the new one, but the serial / expiry and issuer is different than what IPA is using for its own web-ui.
What procedure did you use to switch to an external CA?
On Wed, Jul 12, 2017 at 8:23 PM, Jatin Nansi jnansi@redhat.com wrote:
How are you issuing the certs for the clients? Are they signed by the same certificate chain that signed the IPA certificate? Did you install the CA certificate chain as trusted CA on the clients?
On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
We are in the process of switching to using an external CA. We have successfully gone through he process and indeed the Web UI now shows the expected certificate chain.
However when we issue certificates to our clients downstream they are using a signing certificate that was not issued by the new external CA. I've tried to find in the documentation how that gets set, but seem to be at a loss. Can anyone point me in the correct direction?
Thanks! Jeff
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
Jatin Nansi -
Jeff Fouchard -
Rob Crittenden