Hey y'all,
What are the pros and cons of using and external or internal CA for FreeIPA/IdM? I am trying to decide which to do but having trouble finding a lot of info about why I would want to do one or the other.
Thanks in advance!
Hi,
On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hey y'all,
What are the pros and cons of using and external or internal CA for FreeIPA/IdM? I am trying to decide which to do but having trouble finding a lot of info about why I would want to do one or the other.
The choices are documented there: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
François
Thanks in advance!
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
That outlines the options, but not why I should or shouldn't use any of them. That is more of what I am looking for.
On Fri, Oct 11, 2019 at 9:47 AM François Cami fcami@redhat.com wrote:
Hi,
On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hey y'all,
What are the pros and cons of using and external or internal CA for
FreeIPA/IdM? I am trying to decide which to do but having trouble finding a lot of info about why I would want to do one or the other.
The choices are documented there:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
François
Thanks in advance!
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Kristian Petersen via FreeIPA-users wrote:
That outlines the options, but not why I should or shouldn't use any of them. That is more of what I am looking for.
It's less benefit analysis and more forced by internal requirements.
Often an organization already has a CA and wants any additional CA's to be subordinates.
The downsides of an external CA is some additional complexity.
Installation can be more difficult (users often have issues getting their external CA to properly sign the IPA CSR), dealing with a longer certificate chain and being bound by the expiration date of the external CA.
rob
On Fri, Oct 11, 2019 at 9:47 AM François Cami <fcami@redhat.com mailto:fcami@redhat.com> wrote:
Hi, On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Hey y'all, > > What are the pros and cons of using and external or internal CA for FreeIPA/IdM? I am trying to decide which to do but having trouble finding a lot of info about why I would want to do one or the other. The choices are documented there: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server François > Thanks in advance! > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
New but related question: Iff I just want to add new LDAP and HTTPS certs (not replacing the current ones) I know that can be done. I read an article from Florence Blanc-Renaud that mentions it, but I ran into some errors and I'm trying to troubleshoot them. When I ran ipa-server-certinstall and gave it the key I generated and the crt file I got from Digicert it said the entire chain was not present. So then I tried including the DigiCertCA.crt file as well, however, I got the same result.
I next tried adding the DigiCert certificate to IPA using ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install DigiCertCA.crt This also failed giving an error that the cert was invalid because the Peer's Certificate issuer was not recognized. Any thoughts about what I might have missed?
On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden rcritten@redhat.com wrote:
Kristian Petersen via FreeIPA-users wrote:
That outlines the options, but not why I should or shouldn't use any of them. That is more of what I am looking for.
It's less benefit analysis and more forced by internal requirements.
Often an organization already has a CA and wants any additional CA's to be subordinates.
The downsides of an external CA is some additional complexity.
Installation can be more difficult (users often have issues getting their external CA to properly sign the IPA CSR), dealing with a longer certificate chain and being bound by the expiration date of the external CA.
rob
On Fri, Oct 11, 2019 at 9:47 AM François Cami <fcami@redhat.com mailto:fcami@redhat.com> wrote:
Hi, On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Hey y'all, > > What are the pros and cons of using and external or internal CA for FreeIPA/IdM? I am trying to decide which to do but having trouble finding a lot of info about why I would want to do one or the other. The choices are documented there:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
François > Thanks in advance! > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Kristian Petersen wrote:
New but related question: Iff I just want to add new LDAP and HTTPS certs (not replacing the current ones) I know that can be done. I read an article from Florence Blanc-Renaud that mentions it, but I ran into some errors and I'm trying to troubleshoot them. When I ran ipa-server-certinstall and gave it the key I generated and the crt file I got from Digicert it said the entire chain was not present. So then I tried including the DigiCertCA.crt file as well, however, I got the same result.
I next tried adding the DigiCert certificate to IPA usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install DigiCertCA.crt This also failed giving an error that the cert was invalid because the Peer's Certificate issuer was not recognized. Any thoughts about what I might have missed?
You don't have the full chain. It can be tricky to find the whole list even on CA's that make it relatively easy.
What you want to do is use a tool like openssl x509 to display the subject and issuer:
openssl x509 -text -noout -in /path/to/cert
I'd start with the server cert you've been issued. Find a matching CA cert where the subject of the CA cert matches the issuer on the server cert.
Then find another CA cert whose subject matches the issuer of the bottom of the chain, and work upwards until you find a CA cert where the issuer and subject match. Then you've found the root. That plus the other matching CA certs is your chain.
I'll also note about the "add but not replace" the LDAP and Web certs. There can only be one active. You can certainly use different physical files and nicknames to store the new certs but only one set is active at a time.
rob
On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kristian Petersen via FreeIPA-users wrote: > That outlines the options, but not why I should or shouldn't use any of > them. That is more of what I am looking for. It's less benefit analysis and more forced by internal requirements. Often an organization already has a CA and wants any additional CA's to be subordinates. The downsides of an external CA is some additional complexity. Installation can be more difficult (users often have issues getting their external CA to properly sign the IPA CSR), dealing with a longer certificate chain and being bound by the expiration date of the external CA. rob > > On Fri, Oct 11, 2019 at 9:47 AM François Cami <fcami@redhat.com <mailto:fcami@redhat.com> > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> wrote: > > Hi, > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > > > Hey y'all, > > > > What are the pros and cons of using and external or internal CA > for FreeIPA/IdM? I am trying to decide which to do but having > trouble finding a lot of info about why I would want to do one or > the other. > > The choices are documented there: > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server > > François > > > Thanks in advance! > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
Rob,
After investigating the certs as you had suggested, I do have the whole chain. The server cert has as its issuer: Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
And the DigiCert.crt file has as its issuer and subject: Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
Am I missing something here?
On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden rcritten@redhat.com wrote:
Kristian Petersen wrote:
New but related question: Iff I just want to add new LDAP and HTTPS certs (not replacing the current ones) I know that can be done. I read an article from Florence Blanc-Renaud that mentions it, but I ran into some errors and I'm trying to troubleshoot them. When I ran ipa-server-certinstall and gave it the key I generated and the crt file I got from Digicert it said the entire chain was not present. So then I tried including the DigiCertCA.crt file as well, however, I got the same result.
I next tried adding the DigiCert certificate to IPA usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install DigiCertCA.crt This also failed giving an error that the cert was invalid because the Peer's Certificate issuer was not recognized. Any thoughts about what I might have missed?
You don't have the full chain. It can be tricky to find the whole list even on CA's that make it relatively easy.
What you want to do is use a tool like openssl x509 to display the subject and issuer:
openssl x509 -text -noout -in /path/to/cert
I'd start with the server cert you've been issued. Find a matching CA cert where the subject of the CA cert matches the issuer on the server cert.
Then find another CA cert whose subject matches the issuer of the bottom of the chain, and work upwards until you find a CA cert where the issuer and subject match. Then you've found the root. That plus the other matching CA certs is your chain.
I'll also note about the "add but not replace" the LDAP and Web certs. There can only be one active. You can certainly use different physical files and nicknames to store the new certs but only one set is active at a time.
rob
On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kristian Petersen via FreeIPA-users wrote: > That outlines the options, but not why I should or shouldn't use any of > them. That is more of what I am looking for. It's less benefit analysis and more forced by internal requirements. Often an organization already has a CA and wants any additional CA's
to
be subordinates. The downsides of an external CA is some additional complexity. Installation can be more difficult (users often have issues getting their external CA to properly sign the IPA CSR), dealing with a
longer
certificate chain and being bound by the expiration date of the external CA. rob > > On Fri, Oct 11, 2019 at 9:47 AM François Cami <fcami@redhat.com <mailto:fcami@redhat.com> > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> wrote: > > Hi, > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > > > Hey y'all, > > > > What are the pros and cons of using and external or internal
CA
> for FreeIPA/IdM? I am trying to decide which to do but having > trouble finding a lot of info about why I would want to do one
or
> the other. > > The choices are documented there: >
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
> > François > > > Thanks in advance! > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
>
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
Kristian Petersen wrote:
Rob,
After investigating the certs as you had suggested, I do have the whole chain. The server cert has as its issuer: Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com http://www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
And the DigiCert.crt file has as its issuer and subject: Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com http://www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA Subject: C = US, O = DigiCert Inc, OU = www.digicert.com http://www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
Am I missing something here?
So you have the whole chain in one file? Try adding them individually, starting at the root.
rob
On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kristian Petersen wrote: > New but related question: Iff I just want to add new LDAP and HTTPS > certs (not replacing the current ones) I know that can be done. I read > an article from Florence Blanc-Renaud that mentions it, but I ran into > some errors and I'm trying to troubleshoot them. When I ran > ipa-server-certinstall and gave it the key I generated and the crt file > I got from Digicert it said the entire chain was not present. So then I > tried including the DigiCertCA.crt file as well, however, I got the same > result. > > I next tried adding the DigiCert certificate to IPA > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install > DigiCertCA.crt > This also failed giving an error that the cert was invalid because the > Peer's Certificate issuer was not recognized. Any thoughts about what I > might have missed? You don't have the full chain. It can be tricky to find the whole list even on CA's that make it relatively easy. What you want to do is use a tool like openssl x509 to display the subject and issuer: openssl x509 -text -noout -in /path/to/cert I'd start with the server cert you've been issued. Find a matching CA cert where the subject of the CA cert matches the issuer on the server cert. Then find another CA cert whose subject matches the issuer of the bottom of the chain, and work upwards until you find a CA cert where the issuer and subject match. Then you've found the root. That plus the other matching CA certs is your chain. I'll also note about the "add but not replace" the LDAP and Web certs. There can only be one active. You can certainly use different physical files and nicknames to store the new certs but only one set is active at a time. rob > > > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Kristian Petersen via FreeIPA-users wrote: > > That outlines the options, but not why I should or shouldn't use > any of > > them. That is more of what I am looking for. > > It's less benefit analysis and more forced by internal requirements. > > Often an organization already has a CA and wants any additional CA's to > be subordinates. > > The downsides of an external CA is some additional complexity. > > Installation can be more difficult (users often have issues getting > their external CA to properly sign the IPA CSR), dealing with a longer > certificate chain and being bound by the expiration date of the > external CA. > > rob > > > > > On Fri, Oct 11, 2019 at 9:47 AM François Cami <fcami@redhat.com <mailto:fcami@redhat.com> > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>> wrote: > > > > Hi, > > > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via > FreeIPA-users > > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> wrote: > > > > > > Hey y'all, > > > > > > What are the pros and cons of using and external or internal CA > > for FreeIPA/IdM? I am trying to decide which to do but having > > trouble finding a lot of info about why I would want to do one or > > the other. > > > > The choices are documented there: > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server > > > > François > > > > > Thanks in advance! > > > > > > -- > > > Kristian Petersen > > > System Administrator > > > BYU Dept. of Chemistry and Biochemistry > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > To unsubscribe send an email to > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
They aren't in one file. But the server cert's issuer is the subject of the DigiCert.crt file. I have already tried adding just the Digicert.crt file only to have it tell me it's Peer's Certificate isn't trusted. I don't even know what certificate that is talking about.
On Tue, Oct 15, 2019 at 7:27 AM Rob Crittenden rcritten@redhat.com wrote:
Kristian Petersen wrote:
Rob,
After investigating the certs as you had suggested, I do have the whole chain. The server cert has as its issuer: Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com http://www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
And the DigiCert.crt file has as its issuer and subject: Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com http://www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA Subject: C = US, O = DigiCert Inc, OU = www.digicert.com http://www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
Am I missing something here?
So you have the whole chain in one file? Try adding them individually, starting at the root.
rob
On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kristian Petersen wrote: > New but related question: Iff I just want to add new LDAP and
HTTPS
> certs (not replacing the current ones) I know that can be done. I read > an article from Florence Blanc-Renaud that mentions it, but I ran
into
> some errors and I'm trying to troubleshoot them. When I ran > ipa-server-certinstall and gave it the key I generated and the crt file > I got from Digicert it said the entire chain was not present. So then I > tried including the DigiCertCA.crt file as well, however, I got the same > result. > > I next tried adding the DigiCert certificate to IPA > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install > DigiCertCA.crt > This also failed giving an error that the cert was invalid
because the
> Peer's Certificate issuer was not recognized. Any thoughts about what I > might have missed? You don't have the full chain. It can be tricky to find the whole
list
even on CA's that make it relatively easy. What you want to do is use a tool like openssl x509 to display the subject and issuer: openssl x509 -text -noout -in /path/to/cert I'd start with the server cert you've been issued. Find a matching CA cert where the subject of the CA cert matches the issuer on the server cert. Then find another CA cert whose subject matches the issuer of the
bottom
of the chain, and work upwards until you find a CA cert where the
issuer
and subject match. Then you've found the root. That plus the other matching CA certs is your chain. I'll also note about the "add but not replace" the LDAP and Web
certs.
There can only be one active. You can certainly use different
physical
files and nicknames to store the new certs but only one set is
active at
a time. rob > > > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Kristian Petersen via FreeIPA-users wrote: > > That outlines the options, but not why I should or shouldn't
use
> any of > > them. That is more of what I am looking for. > > It's less benefit analysis and more forced by internal requirements. > > Often an organization already has a CA and wants any additional CA's to > be subordinates. > > The downsides of an external CA is some additional complexity. > > Installation can be more difficult (users often have issues getting > their external CA to properly sign the IPA CSR), dealing with a longer > certificate chain and being bound by the expiration date of the > external CA. > > rob > > > > > On Fri, Oct 11, 2019 at 9:47 AM François Cami <fcami@redhat.com <mailto:fcami@redhat.com> > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>> wrote: > > > > Hi, > > > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via > FreeIPA-users > > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> wrote: > > > > > > Hey y'all, > > > > > > What are the pros and cons of using and external or internal CA > > for FreeIPA/IdM? I am trying to decide which to do but having > > trouble finding a lot of info about why I would want to do one or > > the other. > > > > The choices are documented there: > > >
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
> > > > François > > > > > Thanks in advance! > > > > > > -- > > > Kristian Petersen > > > System Administrator > > > BYU Dept. of Chemistry and Biochemistry > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > To unsubscribe send an email to > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
Kristian Petersen via FreeIPA-users wrote:
They aren't in one file. But the server cert's issuer is the subject of the DigiCert.crt file. I have already tried adding just the Digicert.crt file only to have it tell me it's Peer's Certificate isn't trusted. I don't even know what certificate that is talking about.
Can you share the files?
rob
On Tue, Oct 15, 2019 at 7:27 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kristian Petersen wrote: > Rob, > > After investigating the certs as you had suggested, I do have the whole > chain. The server cert has as its issuer: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA > > And the DigiCert.crt file has as its issuer and subject: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA > Subject: C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA > > Am I missing something here? So you have the whole chain in one file? Try adding them individually, starting at the root. rob > > On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Kristian Petersen wrote: > > New but related question: Iff I just want to add new LDAP and HTTPS > > certs (not replacing the current ones) I know that can be done. I > read > > an article from Florence Blanc-Renaud that mentions it, but I ran into > > some errors and I'm trying to troubleshoot them. When I ran > > ipa-server-certinstall and gave it the key I generated and the crt > file > > I got from Digicert it said the entire chain was not present. So > then I > > tried including the DigiCertCA.crt file as well, however, I got > the same > > result. > > > > I next tried adding the DigiCert certificate to IPA > > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install > > DigiCertCA.crt > > This also failed giving an error that the cert was invalid because the > > Peer's Certificate issuer was not recognized. Any thoughts about > what I > > might have missed? > > You don't have the full chain. It can be tricky to find the whole list > even on CA's that make it relatively easy. > > What you want to do is use a tool like openssl x509 to display the > subject and issuer: > > openssl x509 -text -noout -in /path/to/cert > > I'd start with the server cert you've been issued. Find a matching CA > cert where the subject of the CA cert matches the issuer on the > server cert. > > Then find another CA cert whose subject matches the issuer of the bottom > of the chain, and work upwards until you find a CA cert where the issuer > and subject match. Then you've found the root. That plus the other > matching CA certs is your chain. > > I'll also note about the "add but not replace" the LDAP and Web certs. > There can only be one active. You can certainly use different physical > files and nicknames to store the new certs but only one set is active at > a time. > > rob > > > > > > > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden > <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote: > > > > Kristian Petersen via FreeIPA-users wrote: > > > That outlines the options, but not why I should or shouldn't use > > any of > > > them. That is more of what I am looking for. > > > > It's less benefit analysis and more forced by internal > requirements. > > > > Often an organization already has a CA and wants any > additional CA's to > > be subordinates. > > > > The downsides of an external CA is some additional complexity. > > > > Installation can be more difficult (users often have issues > getting > > their external CA to properly sign the IPA CSR), dealing with > a longer > > certificate chain and being bound by the expiration date of the > > external CA. > > > > rob > > > > > > > > On Fri, Oct 11, 2019 at 9:47 AM François Cami > <fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>>> wrote: > > > > > > Hi, > > > > > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via > > FreeIPA-users > > > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>>> wrote: > > > > > > > > Hey y'all, > > > > > > > > What are the pros and cons of using and external or > internal CA > > > for FreeIPA/IdM? I am trying to decide which to do but > having > > > trouble finding a lot of info about why I would want to > do one or > > > the other. > > > > > > The choices are documented there: > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server > > > > > > François > > > > > > > Thanks in advance! > > > > > > > > -- > > > > Kristian Petersen > > > > System Administrator > > > > BYU Dept. of Chemistry and Biochemistry > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > To unsubscribe send an email to > > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > > -- > > > Kristian Petersen > > > System Administrator > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > To unsubscribe send an email to > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I have attached the files to this response.
On Tue, Oct 15, 2019 at 3:32 PM Rob Crittenden rcritten@redhat.com wrote:
Kristian Petersen via FreeIPA-users wrote:
They aren't in one file. But the server cert's issuer is the subject of the DigiCert.crt file. I have already tried adding just the Digicert.crt file only to have it tell me it's Peer's Certificate isn't trusted. I don't even know what certificate that is talking about.
Can you share the files?
rob
On Tue, Oct 15, 2019 at 7:27 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kristian Petersen wrote: > Rob, > > After investigating the certs as you had suggested, I do have the whole > chain. The server cert has as its issuer: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance
Server CA
> > And the DigiCert.crt file has as its issuer and subject: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance
Server CA
> Subject: C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance
Server CA
> > Am I missing something here? So you have the whole chain in one file? Try adding them
individually,
starting at the root. rob > > On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Kristian Petersen wrote: > > New but related question: Iff I just want to add new LDAP and HTTPS > > certs (not replacing the current ones) I know that can be done. I > read > > an article from Florence Blanc-Renaud that mentions it, but I ran into > > some errors and I'm trying to troubleshoot them. When I ran > > ipa-server-certinstall and gave it the key I generated and the crt > file > > I got from Digicert it said the entire chain was not present. So > then I > > tried including the DigiCertCA.crt file as well, however, I
got
> the same > > result. > > > > I next tried adding the DigiCert certificate to IPA > > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,,
install
> > DigiCertCA.crt > > This also failed giving an error that the cert was invalid because the > > Peer's Certificate issuer was not recognized. Any thoughts about > what I > > might have missed? > > You don't have the full chain. It can be tricky to find the whole list > even on CA's that make it relatively easy. > > What you want to do is use a tool like openssl x509 to display
the
> subject and issuer: > > openssl x509 -text -noout -in /path/to/cert > > I'd start with the server cert you've been issued. Find a matching CA > cert where the subject of the CA cert matches the issuer on the > server cert. > > Then find another CA cert whose subject matches the issuer of the bottom > of the chain, and work upwards until you find a CA cert where the issuer > and subject match. Then you've found the root. That plus the
other
> matching CA certs is your chain. > > I'll also note about the "add but not replace" the LDAP and Web certs. > There can only be one active. You can certainly use different physical > files and nicknames to store the new certs but only one set is active at > a time. > > rob > > > > > > > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden > <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote: > > > > Kristian Petersen via FreeIPA-users wrote: > > > That outlines the options, but not why I should or shouldn't use > > any of > > > them. That is more of what I am looking for. > > > > It's less benefit analysis and more forced by internal > requirements. > > > > Often an organization already has a CA and wants any > additional CA's to > > be subordinates. > > > > The downsides of an external CA is some additional complexity. > > > > Installation can be more difficult (users often have
issues
> getting > > their external CA to properly sign the IPA CSR), dealing with > a longer > > certificate chain and being bound by the expiration date of the > > external CA. > > > > rob > > > > > > > > On Fri, Oct 11, 2019 at 9:47 AM François Cami > <fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>>> wrote: > > > > > > Hi, > > > > > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen
via
> > FreeIPA-users > > > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>>> wrote: > > > > > > > > Hey y'all, > > > > > > > > What are the pros and cons of using and external
or
> internal CA > > > for FreeIPA/IdM? I am trying to decide which to do but > having > > > trouble finding a lot of info about why I would want to > do one or > > > the other. > > > > > > The choices are documented there: > > > > > >
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
> > > > > > François > > > > > > > Thanks in advance! > > > > > > > > -- > > > > Kristian Petersen > > > > System Administrator > > > > BYU Dept. of Chemistry and Biochemistry > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > To unsubscribe send an email to > > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives: > > > > > >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > > > > > > > > > -- > > > Kristian Petersen > > > System Administrator > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > To unsubscribe send an email to > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > > > > > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I tried attaching the files to my reply but that was rejected. So what is the best way to share them with you?
On Tue, Oct 15, 2019 at 3:32 PM Rob Crittenden rcritten@redhat.com wrote:
Kristian Petersen via FreeIPA-users wrote:
They aren't in one file. But the server cert's issuer is the subject of the DigiCert.crt file. I have already tried adding just the Digicert.crt file only to have it tell me it's Peer's Certificate isn't trusted. I don't even know what certificate that is talking about.
Can you share the files?
rob
On Tue, Oct 15, 2019 at 7:27 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kristian Petersen wrote: > Rob, > > After investigating the certs as you had suggested, I do have the whole > chain. The server cert has as its issuer: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance
Server CA
> > And the DigiCert.crt file has as its issuer and subject: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance
Server CA
> Subject: C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance
Server CA
> > Am I missing something here? So you have the whole chain in one file? Try adding them
individually,
starting at the root. rob > > On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Kristian Petersen wrote: > > New but related question: Iff I just want to add new LDAP and HTTPS > > certs (not replacing the current ones) I know that can be done. I > read > > an article from Florence Blanc-Renaud that mentions it, but I ran into > > some errors and I'm trying to troubleshoot them. When I ran > > ipa-server-certinstall and gave it the key I generated and the crt > file > > I got from Digicert it said the entire chain was not present. So > then I > > tried including the DigiCertCA.crt file as well, however, I
got
> the same > > result. > > > > I next tried adding the DigiCert certificate to IPA > > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,,
install
> > DigiCertCA.crt > > This also failed giving an error that the cert was invalid because the > > Peer's Certificate issuer was not recognized. Any thoughts about > what I > > might have missed? > > You don't have the full chain. It can be tricky to find the whole list > even on CA's that make it relatively easy. > > What you want to do is use a tool like openssl x509 to display
the
> subject and issuer: > > openssl x509 -text -noout -in /path/to/cert > > I'd start with the server cert you've been issued. Find a matching CA > cert where the subject of the CA cert matches the issuer on the > server cert. > > Then find another CA cert whose subject matches the issuer of the bottom > of the chain, and work upwards until you find a CA cert where the issuer > and subject match. Then you've found the root. That plus the
other
> matching CA certs is your chain. > > I'll also note about the "add but not replace" the LDAP and Web certs. > There can only be one active. You can certainly use different physical > files and nicknames to store the new certs but only one set is active at > a time. > > rob > > > > > > > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden > <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote: > > > > Kristian Petersen via FreeIPA-users wrote: > > > That outlines the options, but not why I should or shouldn't use > > any of > > > them. That is more of what I am looking for. > > > > It's less benefit analysis and more forced by internal > requirements. > > > > Often an organization already has a CA and wants any > additional CA's to > > be subordinates. > > > > The downsides of an external CA is some additional complexity. > > > > Installation can be more difficult (users often have
issues
> getting > > their external CA to properly sign the IPA CSR), dealing with > a longer > > certificate chain and being bound by the expiration date of the > > external CA. > > > > rob > > > > > > > > On Fri, Oct 11, 2019 at 9:47 AM François Cami > <fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>>> wrote: > > > > > > Hi, > > > > > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen
via
> > FreeIPA-users > > > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>>> wrote: > > > > > > > > Hey y'all, > > > > > > > > What are the pros and cons of using and external
or
> internal CA > > > for FreeIPA/IdM? I am trying to decide which to do but > having > > > trouble finding a lot of info about why I would want to > do one or > > > the other. > > > > > > The choices are documented there: > > > > > >
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
> > > > > > François > > > > > > > Thanks in advance! > > > > > > > > -- > > > > Kristian Petersen > > > > System Administrator > > > > BYU Dept. of Chemistry and Biochemistry > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > To unsubscribe send an email to > > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives: > > > > > >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > > > > > > > > > -- > > > Kristian Petersen > > > System Administrator > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > To unsubscribe send an email to > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > > > > > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry
-- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org