We have IdM / FreeIPA running on RHEL 7 boxes. This is a 6-node cluster that has an existing 1-way trust back to Active Directory.
IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: ipa trust-add --type=ad example.com --admin admin_user
We just learned very recently that our Active Directory team is generating and installing a new Root CA certificate into AD. That is happening tonight at 9pm.
The existing Root CA will remain in place until it expires in about 1 month.
Is there anything that we will have to do to IdM to get it to trust the new certificate? Even though the existing Root CA should remain in place for the next month, is there any chance something will break tonight when the new Root certificate is installed?
I know we would be facing a lot more work, had we used AD’s Root CA for the client connections. So I feel fortunate in that regard.
On ke, 24 kesä 2020, White, David via FreeIPA-users wrote:
We have IdM / FreeIPA running on RHEL 7 boxes. This is a 6-node cluster that has an existing 1-way trust back to Active Directory.
IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: ipa trust-add --type=ad example.com --admin admin_user
We just learned very recently that our Active Directory team is generating and installing a new Root CA certificate into AD. That is happening tonight at 9pm.
The existing Root CA will remain in place until it expires in about 1 month.
Is there anything that we will have to do to IdM to get it to trust the new certificate?
Trust to Active Directory does not rely on any CA certificate or certificate properties from Active Directory. Many Active Directory forests do not have integrated CA at all.
So for the trust to AD specifically, this is not an issue.
However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might be affected. Please clarify whether this is indeed the case.
Trust to Active Directory does not rely on any CA certificate or certificate properties from Active Directory. Many Active Directory forests do not have integrated CA at all.
Thanks. That makes me feel a lot better about tonight.
However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might be affected. Please clarify whether this is indeed the case.
I can confirm that we do NOT have IPA setup as a sub-CA. There was actually a complicated conversation about that specific topic when we were in the midst of deploying. 1 week after having RHEL consultants on site, one of my colleagues made me re-deploy the entire cluster again, because he wanted the sub-CA. After even more back and forth with our Corporate AD team, and testing, we re-deployed yet again without the sub-CA. It was a fiasco. The consultant was great. My colleagues were not. Felt like the longest 3 weeks of my life, with requirements changing on me every other day. LOL.
Thank you!
On 6/24/20, 8:13 AM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ke, 24 kesä 2020, White, David via FreeIPA-users wrote: >We have IdM / FreeIPA running on RHEL 7 boxes. >This is a 6-node cluster that has an existing 1-way trust back to >Active Directory. > >IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: >ipa trust-add --type=ad example.com --admin admin_user > >We just learned very recently that our Active Directory team is >generating and installing a new Root CA certificate into AD. That is >happening tonight at 9pm. > >The existing Root CA will remain in place until it expires in about 1 month. > >Is there anything that we will have to do to IdM to get it to trust the >new certificate?
Trust to Active Directory does not rely on any CA certificate or certificate properties from Active Directory. Many Active Directory forests do not have integrated CA at all.
So for the trust to AD specifically, this is not an issue.
However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might be affected. Please clarify whether this is indeed the case.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On 6/24/20 2:01 PM, White, David via FreeIPA-users wrote:
We have IdM / FreeIPA running on RHEL 7 boxes. This is a 6-node cluster that has an existing 1-way trust back to Active Directory.
IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: ipa trust-add --type=ad example.com --admin admin_user
We just learned very recently that our Active Directory team is generating and installing a new Root CA certificate into AD. That is happening tonight at 9pm.
The existing Root CA will remain in place until it expires in about 1 month.
Is there anything that we will have to do to IdM to get it to trust the new certificate? Even though the existing Root CA should remain in place for the next month, is there any chance something will break tonight when the new Root certificate is installed?
Hi,
are you using smart card authentication with certificates delivered by AD's Root CA? If it is the case, you will need to re-run the scripts used to configure the clients and servers for smart card authentication, providing the new AD's Root CA. See "Preparing the Identity Management Client for Smart-card Authentication" [1] and "Preparing the Identity Management Server for Smart-card Authentication in the Web UI" [2].
flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
I know we would be facing a lot more work, had we used AD’s Root CA for the client connections. So I feel fortunate in that regard.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org