hi guys, I'm starting to look more thoroughly into CA and something I'm not sure is possible, and hoping you could shed more light onto, is - having IPA deployed with own CA is it possible to then, at a later point, move/migrate/change IPA to subordinate type of CA with AD's CA as root? Is such a change a SOP or rather something undocumented-unsupported but possible & risky?

On 20/06/2019 14:38, Alexander Bokovoy wrote: > On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote: >> hi guys, >> >> I'm starting to look more thoroughly into CA and something I'm not sure >> is possible, and hoping you could shed more light onto, is - having IPA >> deployed with own CA is it possible to then, at a later point, >> move/migrate/change IPA to subordinate type of CA with AD's CA as root? >> >> Is such a change a SOP or rather something undocumented-unsupported but >> possible & risky? > It is possible and is a routine action. > [1] > https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-... > > [2] > https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html > > [3] > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi... > > See also > https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_ex... > > -- these are our tests of this feature which run for every pull request. > Look at TestSelfExternalSelf suite, it should be more or less > self-explanatory. > > okey, great, that should help, many! thanks. I've just thumbed through it - either I missed it or it's not there, to clearly get the process, as I mentioned earlier, of move/migrate/change IPA's CA/PKI to Win AD. Does IPA CA has to be removed, demoted first or clean setup without CA is required in order to tap into AD's?

On 02/07/2019 13:13, Alexander Bokovoy wrote: > On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote: >> On 20/06/2019 14:38, Alexander Bokovoy wrote: >>> On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote: >>>> hi guys, >>>> >>>> I'm starting to look more thoroughly into CA and something I'm not >>>> sure >>>> is possible, and hoping you could shed more light onto, is - having >>>> IPA >>>> deployed with own CA is it possible to then, at a later point, >>>> move/migrate/change IPA to subordinate type of CA with AD's CA as >>>> root? >>>> >>>> Is such a change a SOP or rather something undocumented-unsupported >>>> but >>>> possible & risky? >>> It is possible and is a routine action. >>> [1] >>> https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-... >>> >>> >>> [2] >>> https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html >>> >>> >>> [3] >>> https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi... >>> >>> >>> See also >>> https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_ex... >>> >>> >>> -- these are our tests of this feature which run for every pull >>> request. >>> Look at TestSelfExternalSelf suite, it should be more or less >>> self-explanatory. >>> >>> >> okey, great, that should help, many! thanks. >> >> I've just thumbed through it - either I missed it or it's not there, to >> clearly get the process, as I mentioned earlier, of move/migrate/change >> IPA's CA/PKI to Win AD. >> >> Does IPA CA has to be removed, demoted first or clean setup without CA >> is required in order to tap into AD's? > It is up to you. The process to switch to an external CA is the same, > use 'ipa-cacert-manage renew' command: > > Step 1: > # ipa-cacert-manage renew --external-ca-type ms-cs \ >  --external-ca-profile MySubCA > Exporting CA certificate signing request, please wait > > Step 2 is to get /var/lib/ipa/ca.csr signed by your CA and re-run > ipa-cacert-manage as: > > # ipa-cacert-manage renew > --external-cert-file=/path/to/signed_certificate > --external-cert-file=/path/to/external_ca_certificate > The ipa-cacert-manage command was successful > > This is all described in the Fraser's blog [2] above. > No, not really, unless I've gone dumb & blind. That post, very informative & helpful, shows how: "Renewing the certificate FreeIPA provides the ipa-cacert-manage renew command for renewing an externally-signed CA certificate..." "External CA installation in FreeIPA. FreeIPA supports installation with an externally..." And nowhere there is a mention about how to transition from IPA's CA to external AD. Again, I was asking how to move/migrate/change IPA's CA/PKI to Win AD. When, like me, you have IPA's CA working, then does IPA CA have to be removed, demoted first or clean setup/reinstallation of IPA without CA is required in order to tap into AD's? If I do: $ ipa-cacert-manage renew --external-ca-type ms-cs --external-ca-profile MySubCA Renewing CA certificate, please wait You cannot specify --external-ca-type when renewing a self-signed CA The ipa-cacert-manage command failed. Or there is a way to transition/move/migrate, however I should call it, to IPA external AD's CA from existing IPA's CA without dismantling whole IPA? many thanks, L.

_______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

On Wed, Jul 10, 2019 at 04:55:29PM +0200, Florence Blanc-Renaud via FreeIPA-users wrote: > On 7/10/19 1:11 PM, lejeczek via FreeIPA-users wrote: >> On 02/07/2019 13:13, Alexander Bokovoy wrote: >>> On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote: >>>> On 20/06/2019 14:38, Alexander Bokovoy wrote: >>>>> On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote: >>>>>> hi guys, >>>>>> >>>>>> I'm starting to look more thoroughly into CA and something I'm not >>>>>> sure >>>>>> is possible, and hoping you could shed more light onto, is - having >>>>>> IPA >>>>>> deployed with own CA is it possible to then, at a later point, >>>>>> move/migrate/change IPA to subordinate type of CA with AD's CA as >>>>>> root? >>>>>> >>>>>> Is such a change a SOP or rather something undocumented-unsupported >>>>>> but >>>>>> possible & risky? >>>>> It is possible and is a routine action. >>>>> [1] >>>>> https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-... >>>>> >>>>> >>>>> [2] >>>>> https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html >>>>> >>>>> >>>>> [3] >>>>> https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi... >>>>> >>>>> >>>>> See also >>>>> https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_ex... >>>>> >>>>> >>>>> -- these are our tests of this feature which run for every pull >>>>> request. >>>>> Look at TestSelfExternalSelf suite, it should be more or less >>>>> self-explanatory. >>>>> >>>>> >>>> okey, great, that should help, many! thanks. >>>> >>>> I've just thumbed through it - either I missed it or it's not there, to >>>> clearly get the process, as I mentioned earlier, of move/migrate/change >>>> IPA's CA/PKI to Win AD. >>>> >>>> Does IPA CA has to be removed, demoted first or clean setup without CA >>>> is required in order to tap into AD's? >>> It is up to you. The process to switch to an external CA is the same, >>> use 'ipa-cacert-manage renew' command: >>> >>> Step 1: >>> # ipa-cacert-manage renew --external-ca-type ms-cs \ >>>  --external-ca-profile MySubCA >>> Exporting CA certificate signing request, please wait >>> >>> Step 2 is to get /var/lib/ipa/ca.csr signed by your CA and re-run >>> ipa-cacert-manage as: >>> >>> # ipa-cacert-manage renew >>> --external-cert-file=/path/to/signed_certificate >>> --external-cert-file=/path/to/external_ca_certificate >>> The ipa-cacert-manage command was successful >>> >>> This is all described in the Fraser's blog [2] above. >>> >> No, not really, unless I've gone dumb & blind. >> >> That post, very informative & helpful, shows how: >> >> "Renewing the certificate >> FreeIPA provides the ipa-cacert-manage renew command for renewing an >> externally-signed CA certificate..." >> >> "External CA installation in FreeIPA. >> >> FreeIPA supports installation with an externally..." >> >> And nowhere there is a mention about how to transition from IPA's CA to >> external AD. Again, I was asking how to move/migrate/change >> IPA's CA/PKI to Win AD. >> >> When, like me, you have IPA's CA working, then does IPA CA have to be >> removed, demoted first or clean setup/reinstallation of IPA without CA >> is required in order to tap into AD's? >> >> If I do: >> >> $ ipa-cacert-manage renew --external-ca-type ms-cs --external-ca-profile >> MySubCA >> Renewing CA certificate, please wait >> You cannot specify --external-ca-type when renewing a self-signed CA >> The ipa-cacert-manage command failed. >> >> Or there is a way to transition/move/migrate, however I should call it, >> to IPA external AD's CA from existing IPA's CA without dismantling whole >> IPA? >> >> many thanks, L. >> >> > Hi, > please have a look at [1] Changing the Certificate chain: > ----8<---- > Self-signed CA certificate → externally-signed CA certificate > Add the --external-ca option to ipa-cacert-manage renew. This renews the > self-signed CA certificate as an externally-signed CA certificate. > For details on running the command with this option, see Section 26.2.2, > “Renewing CA Certificates Manually”. > ---->8---- > > you need to specify --external-ca --external-ca-type ms-cs > --external-ca-profile MySubCA > But replace "MySubCA" with the appropriate template name. Or leave it out if the default template name ("SubCA") is correct. You can also specify template by OID. Read `man 1 ipa-cacert-manage` for full details. Cheers, Fraser

> HTH, > flo > > [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

On Wed, Jul 17, 2019 at 12:46:15PM +0100, lejeczek via FreeIPA-users wrote: >>> Hi, >>> please have a look at [1] Changing the Certificate chain: >>> ----8<---- >>> Self-signed CA certificate → externally-signed CA certificate >>> Add the --external-ca option to ipa-cacert-manage renew. This renews the >>> self-signed CA certificate as an externally-signed CA certificate. >>> For details on running the command with this option, see Section 26.2.2, >>> “Renewing CA Certificates Manually”. >>> ---->8---- >>> >>> you need to specify --external-ca --external-ca-type ms-cs >>> --external-ca-profile MySubCA >>> >> But replace "MySubCA" with the appropriate template name. Or leave >> it out if the default template name ("SubCA") is correct. You can >> also specify template by OID. Read `man 1 ipa-cacert-manage` for >> full details. >> >> Cheers, >> Fraser > AD's end - is "Appendix B: creating a custom sub-CA certificate > template" a must-have or optional, and can be skipped over to "Appendix > C: issuing a certificate" > > I imagine quite a few of us, those who do not have control over AD > domain and need to rely on those who have, must think that question. > It is not essential to use a custom sub-CA template for the IPA CA. The default ("SubCA") works just fine (subject to policy).

> many thanks, L. > > ps. templetes/profiles - is there more one could read to understand what > is SubCA, what is IPA's default profile, etc.? > "Template" in AD and "profile" in IPA are the same concept: defining how to build the certificate to be issued, and constraints. The AD "SubCA" template issues a CA certificate (Basic Constraints extension with CA: TRUE) signed by the AD CA. Common reasons to define a custom sub-CA template are to specify the pathLenConstraint (i.e. can the subject issue further sub-CAs?), or the Name Constraints extension (what namespaces can the subject issue certificates for?). I don't know for sure if AD has a default template; I have only ever seen the template explicitly specified in the CSR but maybe there are other ways. In IPA the default profile is "caIPAserviceCert" which is suitable for TLS services. Cheers, Fraser

Is changing the chain (apart from the risk attached to doing something, anything, and that something can go wrong) healthy? (security) eg. Having AD CA as root then changing to another AD, then maybe back to IPA's own. many thanks, L.