Charles Hedrick via FreeIPA-users wrote:
this will let you add outside certs for the services that would be
visible to users:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
It doesn’t actually turn off the CA functionality, but it becomes largely unused.
I haven't tested it but his proposal makes some sense. Once you have a
working master without a CA using 3rd party certs I don't see why you
couldn't remove the other masters and be left with only the master with
3rd party certs (you'd have to use the --ignore-last-of-role when
removing the last CA).
ipa-cacert-manage has no ability to remove certs currently so you'd
eventually want to manually (e.g. ldapmodify) remove the old IPA CA cert
from the stored list and run ipa-certupdate on all the enrolled clients
to completely wipe out the old CA.
Honestly I'm not sure I'd do this at the same time as also changing
distributions to limit the number of moving parts but I don't know of
any specific reason it wouldn't work.
Be sure to add a new entry on what will be the final master to ensure
there is a DNA configuration.
I'd suggest trying this a few times in a lab since it is a destructive
operation. There are likely a few loose ends that while they probably
wouldn't prevent operation could cause confusion. I think by trying it a
few times might shake those out in advance.
rob
I’d actually be interested in a way to completely move no CAless
operation if there is one.
> On Oct 3, 2019, at 5:15 AM, Marco V. via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Hi,
>
> We've installed a replicated 7Server IPA setup with a internal CA.
> Now, due to corporate policies we need to migrate to a no-CA setup (because we need
to use corporate signed Certificates
> and a sub-CA is also not allowed..) So we need to migrate from 7Server internal-CA
replicated IPA to 8Server no-CA replicated IPA.
>
> ipa-replica-install does not support --ca-cert-file, so we cannot install the new
replica with the corporate certificates straight away.
> What would be the correct procedure?
>
> I've come up with the following steps:
> 1. install the new 8Server replicas without CA, (They will get the self-signed
certificates from existing 7Server master (first master))
> 2. first add corporate root CA to both 7Server and 8Server nodes systems
ca-bundle.trust.crt
> 3. manually replace HTTP and LDAP certificates with corporated signed certificates
> 4. remove 7Server replica and first master, so we end up with the no-CA 8Server
nodes only
>
> I'm wondering whether replication will still be functional when performing step
3, but I can perform additional testing on that.
> We are running production with our setup, so we need a 'online' migration
strategy.
>
> Would this be the best approach or do I need another solution? ;-)
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...