Hi,
We've installed a replicated 7Server IPA setup with a internal CA. Now, due to corporate policies we need to migrate to a no-CA setup (because we need to use corporate signed Certificates and a sub-CA is also not allowed..) So we need to migrate from 7Server internal-CA replicated IPA to 8Server no-CA replicated IPA.
ipa-replica-install does not support --ca-cert-file, so we cannot install the new replica with the corporate certificates straight away. What would be the correct procedure?
I've come up with the following steps: 1. install the new 8Server replicas without CA, (They will get the self-signed certificates from existing 7Server master (first master)) 2. first add corporate root CA to both 7Server and 8Server nodes systems ca-bundle.trust.crt 3. manually replace HTTP and LDAP certificates with corporated signed certificates 4. remove 7Server replica and first master, so we end up with the no-CA 8Server nodes only
I'm wondering whether replication will still be functional when performing step 3, but I can perform additional testing on that. We are running production with our setup, so we need a 'online' migration strategy.
Would this be the best approach or do I need another solution? ;-)
this will let you add outside certs for the services that would be visible to users: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
It doesn’t actually turn off the CA functionality, but it becomes largely unused.
I’d actually be interested in a way to completely move no CAless operation if there is one.
On Oct 3, 2019, at 5:15 AM, Marco V. via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi,
We've installed a replicated 7Server IPA setup with a internal CA. Now, due to corporate policies we need to migrate to a no-CA setup (because we need to use corporate signed Certificates and a sub-CA is also not allowed..) So we need to migrate from 7Server internal-CA replicated IPA to 8Server no-CA replicated IPA.
ipa-replica-install does not support --ca-cert-file, so we cannot install the new replica with the corporate certificates straight away. What would be the correct procedure?
I've come up with the following steps:
- install the new 8Server replicas without CA, (They will get the self-signed certificates from existing 7Server master (first master))
- first add corporate root CA to both 7Server and 8Server nodes systems ca-bundle.trust.crt
- manually replace HTTP and LDAP certificates with corporated signed certificates
- remove 7Server replica and first master, so we end up with the no-CA 8Server nodes only
I'm wondering whether replication will still be functional when performing step 3, but I can perform additional testing on that. We are running production with our setup, so we need a 'online' migration strategy.
Would this be the best approach or do I need another solution? ;-) _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Charles Hedrick via FreeIPA-users wrote:
this will let you add outside certs for the services that would be visible to users: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
It doesn’t actually turn off the CA functionality, but it becomes largely unused.
I haven't tested it but his proposal makes some sense. Once you have a working master without a CA using 3rd party certs I don't see why you couldn't remove the other masters and be left with only the master with 3rd party certs (you'd have to use the --ignore-last-of-role when removing the last CA).
ipa-cacert-manage has no ability to remove certs currently so you'd eventually want to manually (e.g. ldapmodify) remove the old IPA CA cert from the stored list and run ipa-certupdate on all the enrolled clients to completely wipe out the old CA.
Honestly I'm not sure I'd do this at the same time as also changing distributions to limit the number of moving parts but I don't know of any specific reason it wouldn't work.
Be sure to add a new entry on what will be the final master to ensure there is a DNA configuration.
I'd suggest trying this a few times in a lab since it is a destructive operation. There are likely a few loose ends that while they probably wouldn't prevent operation could cause confusion. I think by trying it a few times might shake those out in advance.
rob
I’d actually be interested in a way to completely move no CAless operation if there is one.
On Oct 3, 2019, at 5:15 AM, Marco V. via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi,
We've installed a replicated 7Server IPA setup with a internal CA. Now, due to corporate policies we need to migrate to a no-CA setup (because we need to use corporate signed Certificates and a sub-CA is also not allowed..) So we need to migrate from 7Server internal-CA replicated IPA to 8Server no-CA replicated IPA.
ipa-replica-install does not support --ca-cert-file, so we cannot install the new replica with the corporate certificates straight away. What would be the correct procedure?
I've come up with the following steps:
- install the new 8Server replicas without CA, (They will get the self-signed certificates from existing 7Server master (first master))
- first add corporate root CA to both 7Server and 8Server nodes systems ca-bundle.trust.crt
- manually replace HTTP and LDAP certificates with corporated signed certificates
- remove 7Server replica and first master, so we end up with the no-CA 8Server nodes only
I'm wondering whether replication will still be functional when performing step 3, but I can perform additional testing on that. We are running production with our setup, so we need a 'online' migration strategy.
Would this be the best approach or do I need another solution? ;-) _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org