Hello, I have a FreeIPA installation (4.5.4). There is a one-way trust with the ActiveDirectory server. We had setup 2 different CAs (one for the Linux domain and one for the AD). However, the management decided to use only the AD CA, thus I need to convert the FreeIPA CA to an AD subordinate CA. So, I am looking for a way to replace the CA in the FreeIPA without re-installing it. Is it possible? If so, can you please point me to the correct documentation? (What I found so far is for installation, not migration).
On ti, 28 elo 2018, Peter Tselios via FreeIPA-users wrote:
Hello, I have a FreeIPA installation (4.5.4). There is a one-way trust with the ActiveDirectory server. We had setup 2 different CAs (one for the Linux domain and one for the AD). However, the management decided to use only the AD CA, thus I need to convert the FreeIPA CA to an AD subordinate CA. So, I am looking for a way to replace the CA in the FreeIPA without re-installing it. Is it possible? If so, can you please point me to the correct documentation? (What I found so far is for installation, not migration).
There is a tool 'ipa-cacert-manage' that allows to do changes of CA certificates.
One of tests we have in FreeIPA is testing a switch of integrated CA to an externally signed one:
https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_exter...
It is done in two steps:
1. Run 'ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs' to generate a signing request. Pass that CSR to AD CA to sign. See man page for the tool for more options and details.
2. Run 'ipa-cacert-manage renew --external-cert-file=FILE` to provide the resulting signed certificate back to IPA.
You'd need to experiment with the tool on a test setup to see how it behaves and what is needed to properly go through the process.
On 08/28/2018 05:57 PM, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 28 elo 2018, Peter Tselios via FreeIPA-users wrote:
Hello, I have a FreeIPA installation (4.5.4). There is a one-way trust with the ActiveDirectory server. We had setup 2 different CAs (one for the Linux domain and one for the AD). However, the management decided to use only the AD CA, thus I need to convert the FreeIPA CA to an AD subordinate CA. So, I am looking for a way to replace the CA in the FreeIPA without re-installing it. Is it possible? If so, can you please point me to the correct documentation? (What I found so far is for installation, not migration).
There is a tool 'ipa-cacert-manage' that allows to do changes of CA certificates.
One of tests we have in FreeIPA is testing a switch of integrated CA to an externally signed one:
https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_exter...
It is done in two steps:
- Run 'ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs'
to generate a signing request. Pass that CSR to AD CA to sign. See man page for the tool for more options and details.
- Run 'ipa-cacert-manage renew --external-cert-file=FILE` to provide
the resulting signed certificate back to IPA.
You'd need to experiment with the tool on a test setup to see how it behaves and what is needed to properly go through the process.
I will also add that this procedure will replace FreeIPA CA but will not replace the certificates already delivered by the previous FreeIPA CA.
flo
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Florence Blanc-Renaud -
Peter Tselios