On Wed, Jul 10, 2019 at 04:55:29PM +0200, Florence Blanc-Renaud via
FreeIPA-users wrote:
> On 7/10/19 1:11 PM, lejeczek via FreeIPA-users wrote:
>> On 02/07/2019 13:13, Alexander Bokovoy wrote:
>>> On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote:
>>>> On 20/06/2019 14:38, Alexander Bokovoy wrote:
>>>>> On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote:
>>>>>> hi guys,
>>>>>>
>>>>>> I'm starting to look more thoroughly into CA and something
I'm not
>>>>>> sure
>>>>>> is possible, and hoping you could shed more light onto, is -
having
>>>>>> IPA
>>>>>> deployed with own CA is it possible to then, at a later point,
>>>>>> move/migrate/change IPA to subordinate type of CA with AD's
CA as
>>>>>> root?
>>>>>>
>>>>>> Is such a change a SOP or rather something
undocumented-unsupported
>>>>>> but
>>>>>> possible & risky?
>>>>> It is possible and is a routine action.
>>>>> [1]
>>>>>
https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-...
>>>>>
>>>>>
>>>>> [2]
>>>>>
https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
>>>>>
>>>>>
>>>>> [3]
>>>>>
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
>>>>>
>>>>>
>>>>> See also
>>>>>
https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_ex...
>>>>>
>>>>>
>>>>> -- these are our tests of this feature which run for every pull
>>>>> request.
>>>>> Look at TestSelfExternalSelf suite, it should be more or less
>>>>> self-explanatory.
>>>>>
>>>>>
>>>> okey, great, that should help, many! thanks.
>>>>
>>>> I've just thumbed through it - either I missed it or it's not
there, to
>>>> clearly get the process, as I mentioned earlier, of move/migrate/change
>>>> IPA's CA/PKI to Win AD.
>>>>
>>>> Does IPA CA has to be removed, demoted first or clean setup without CA
>>>> is required in order to tap into AD's?
>>> It is up to you. The process to switch to an external CA is the same,
>>> use 'ipa-cacert-manage renew' command:
>>>
>>> Step 1:
>>> # ipa-cacert-manage renew --external-ca-type ms-cs \
>>> --external-ca-profile MySubCA
>>> Exporting CA certificate signing request, please wait
>>>
>>> Step 2 is to get /var/lib/ipa/ca.csr signed by your CA and re-run
>>> ipa-cacert-manage as:
>>>
>>> # ipa-cacert-manage renew
>>> --external-cert-file=/path/to/signed_certificate
>>> --external-cert-file=/path/to/external_ca_certificate
>>> The ipa-cacert-manage command was successful
>>>
>>> This is all described in the Fraser's blog [2] above.
>>>
>> No, not really, unless I've gone dumb & blind.
>>
>> That post, very informative & helpful, shows how:
>>
>> "Renewing the certificate
>> FreeIPA provides the ipa-cacert-manage renew command for renewing an
>> externally-signed CA certificate..."
>>
>> "External CA installation in FreeIPA.
>>
>> FreeIPA supports installation with an externally..."
>>
>> And nowhere there is a mention about how to transition from IPA's CA to
>> external AD. Again, I was asking how to move/migrate/change
>> IPA's CA/PKI to Win AD.
>>
>> When, like me, you have IPA's CA working, then does IPA CA have to be
>> removed, demoted first or clean setup/reinstallation of IPA without CA
>> is required in order to tap into AD's?
>>
>> If I do:
>>
>> $ ipa-cacert-manage renew --external-ca-type ms-cs --external-ca-profile
>> MySubCA
>> Renewing CA certificate, please wait
>> You cannot specify --external-ca-type when renewing a self-signed CA
>> The ipa-cacert-manage command failed.
>>
>> Or there is a way to transition/move/migrate, however I should call it,
>> to IPA external AD's CA from existing IPA's CA without dismantling whole
>> IPA?
>>
>> many thanks, L.
>>
>>
> Hi,
> please have a look at [1] Changing the Certificate chain:
> ----8<----
> Self-signed CA certificate → externally-signed CA certificate
> Add the --external-ca option to ipa-cacert-manage renew. This renews the
> self-signed CA certificate as an externally-signed CA certificate.
> For details on running the command with this option, see Section 26.2.2,
> “Renewing CA Certificates Manually”.
> ---->8----
>
> you need to specify --external-ca --external-ca-type ms-cs
> --external-ca-profile MySubCA
>
But replace "MySubCA" with the appropriate template name. Or leave
it out if the default template name ("SubCA") is correct. You can
also specify template by OID. Read `man 1 ipa-cacert-manage` for
full details.
Cheers,
Fraser
AD's end - is "Appendix B: creating a custom sub-CA certificate
template" a must-have or optional, and can be skipped over to "Appendix
C: issuing a certificate"
I imagine quite a few of us, those who do not have control over AD
domain and need to rely on those who have, must think that question.
many thanks, L.
ps. templetes/profiles - is there more one could read to understand what
is SubCA, what is IPA's default profile, etc.?
> HTH,
> flo
>
> [1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...