On Wed, Jul 10, 2019 at 04:55:29PM +0200, Florence Blanc-Renaud via FreeIPA-users wrote:
On 7/10/19 1:11 PM, lejeczek via FreeIPA-users wrote:
> On 02/07/2019 13:13, Alexander Bokovoy wrote:
> > On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote:
> > > On 20/06/2019 14:38, Alexander Bokovoy wrote:
> > > > On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote:
> > > > > hi guys,
> > > > >
> > > > > I'm starting to look more thoroughly into CA and something
I'm not
> > > > > sure
> > > > > is possible, and hoping you could shed more light onto, is -
having
> > > > > IPA
> > > > > deployed with own CA is it possible to then, at a later point,
> > > > > move/migrate/change IPA to subordinate type of CA with AD's
CA as
> > > > > root?
> > > > >
> > > > > Is such a change a SOP or rather something
undocumented-unsupported
> > > > > but
> > > > > possible & risky?
> > > > It is possible and is a routine action.
> > > > [1]
> > > >
https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-...
> > > >
> > > >
> > > > [2]
> > > >
https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
> > > >
> > > >
> > > > [3]
> > > >
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
> > > >
> > > >
> > > > See also
> > > >
https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_ex...
> > > >
> > > >
> > > > -- these are our tests of this feature which run for every pull
> > > > request.
> > > > Look at TestSelfExternalSelf suite, it should be more or less
> > > > self-explanatory.
> > > >
> > > >
> > > okey, great, that should help, many! thanks.
> > >
> > > I've just thumbed through it - either I missed it or it's not
there, to
> > > clearly get the process, as I mentioned earlier, of move/migrate/change
> > > IPA's CA/PKI to Win AD.
> > >
> > > Does IPA CA has to be removed, demoted first or clean setup without CA
> > > is required in order to tap into AD's?
> > It is up to you. The process to switch to an external CA is the same,
> > use 'ipa-cacert-manage renew' command:
> >
> > Step 1:
> > # ipa-cacert-manage renew --external-ca-type ms-cs \
> > --external-ca-profile MySubCA
> > Exporting CA certificate signing request, please wait
> >
> > Step 2 is to get /var/lib/ipa/ca.csr signed by your CA and re-run
> > ipa-cacert-manage as:
> >
> > # ipa-cacert-manage renew
> > --external-cert-file=/path/to/signed_certificate
> > --external-cert-file=/path/to/external_ca_certificate
> > The ipa-cacert-manage command was successful
> >
> > This is all described in the Fraser's blog [2] above.
> >
> No, not really, unless I've gone dumb & blind.
>
> That post, very informative & helpful, shows how:
>
> "Renewing the certificate
> FreeIPA provides the ipa-cacert-manage renew command for renewing an
> externally-signed CA certificate..."
>
> "External CA installation in FreeIPA.
>
> FreeIPA supports installation with an externally..."
>
> And nowhere there is a mention about how to transition from IPA's CA to
> external AD. Again, I was asking how to move/migrate/change
> IPA's CA/PKI to Win AD.
>
> When, like me, you have IPA's CA working, then does IPA CA have to be
> removed, demoted first or clean setup/reinstallation of IPA without CA
> is required in order to tap into AD's?
>
> If I do:
>
> $ ipa-cacert-manage renew --external-ca-type ms-cs --external-ca-profile
> MySubCA
> Renewing CA certificate, please wait
> You cannot specify --external-ca-type when renewing a self-signed CA
> The ipa-cacert-manage command failed.
>
> Or there is a way to transition/move/migrate, however I should call it,
> to IPA external AD's CA from existing IPA's CA without dismantling whole
> IPA?
>
> many thanks, L.
>
>
Hi,
please have a look at [1] Changing the Certificate chain:
----8<----
Self-signed CA certificate → externally-signed CA certificate
Add the --external-ca option to ipa-cacert-manage renew. This renews the
self-signed CA certificate as an externally-signed CA certificate.
For details on running the command with this option, see Section 26.2.2,
“Renewing CA Certificates Manually”.
---->8----
you need to specify --external-ca --external-ca-type ms-cs
--external-ca-profile MySubCA
But replace "MySubCA" with the appropriate template name. Or leave
it out if the default template name ("SubCA") is correct. You can
also specify template by OID. Read `man 1 ipa-cacert-manage` for
full details.
Cheers,
Fraser
> HTH,
> flo
>
> [1]
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: