5:27 a.m.
Hi everyone,
We have a small-ish RHEL 7 IdM (4.6.8) domain that is currently running with
a self-signed root CA. All is well and good, except we've been told that we
have to play nice with the rest of the organization now, which includes
changing the self-signed root CA in to an intermediate CA.
I remember a discussion on here about converting an IdM root CA in to an
intermediate CA, but for the life of me I can't find the discussion or any
related documentation. (Was I hallucinating?)
So:
* Is what I'm talking about even possible?
* If it is possible, is there some documentation somewhere where I can
read up on the process and potential risks?
* If it isn't possible, short of creating a new domain[1] and moving
all of the clients to it, what might work here?
[1] - I'm not against this, however, we have several replica IdM servers at
remote sites that are on the other end of low-bandwidth high-latency
satellite links. Having the various IdM servers talk amongst themselves for
regular domain updates hasn't been a problem. We've never been able to
create a new replica at our remote sites though.
Thank you all for your time,
Chad
--
Chad Schrock, he/him
Supporting MIT Lincoln Laboratory, Lexington, MA
8:58 a.m.
On Mon, Jan 30, 2023 at 11:27:47AM +0000, Schrock, Chad - 0336 - MITLL via FreeIPA-users
wrote:
Hi everyone,
We have a small-ish RHEL 7 IdM (4.6.8) domain that is currently running with
a self-signed root CA. All is well and good, except we've been told that we
have to play nice with the rest of the organization now, which includes
changing the self-signed root CA in to an intermediate CA.
I remember a discussion on here about converting an IdM root CA in to an
intermediate CA, but for the life of me I can't find the discussion or any
related documentation. (Was I hallucinating?)
So:
* Is what I'm talking about even possible?
* If it is possible, is there some documentation somewhere where I can
read up on the process and potential risks?
* If it isn't possible, short of creating a new domain[1] and moving
all of the clients to it, what might work here?
It is possible and supported. See docs:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
See also ipa-cacert-manage man page. Command is:
ipa-cacert-manage renew --external-ca
But you may need extra args if the external issuer is AD-CS.
Thanks,
Fraser
11:50 a.m.
New subject: Converting self-signed root CA to intermediate CA
From: Fraser Tweedale via FreeIPA-users <freeipa-
On Mon, Jan 30, 2023 at 11:27:47AM +0000, Schrock, Chad - 0336 - MITLL via
FreeIPA-users wrote:
> I remember a discussion on here about converting an IdM root CA
in to
> an intermediate CA, but for the life of me I can't find the discussion
> or any related documentation. (Was I hallucinating?)
> * Is what I'm talking about even possible?
> * If it is possible, is there some documentation somewhere where I
can
> read up on the process and potential risks?
> * If it isn't possible, short of creating a new domain[1] and moving
> all of the clients to it, what might work here?
>
It is possible and supported. See docs:
https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/8/html-
single/managing_certificates_in_idm/index#renew-with-externally-signed-
CA_ipa-ca-renewal
See also ipa-cacert-manage man page. Command is:
ipa-cacert-manage renew --external-ca
But you may need extra args if the external issuer is AD-CS.
Hi Fraser, Thank you so much for your reply, that's exactly what I needed and
somehow completely missed.
Thank you again,
Chad
--
Chad Schrock, he/him
Supporting MIT Lincoln Laboratory, Lexington, MA
457
days inactive
457
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Fraser Tweedale -
Schrock, Chad - 0336 - MITLL