This article will go into detail on how to install certificates on FreeIPA.
The dogtag packages are now available in Fedora. The required packages should be pulled in as dependencies when ipa-server is installed.
This just makes the binaries available for the IPA installer script. The installer creates and configures the necessary dogtag components to stand up a CA.
A dogtag CA is installed by default by IPA. To install using a self-signed CA instead of dogtag pass in the --selfsign
argument to ipa-server-install
.
The CA uses a separate instance of DS that is used only for the CA. This instance is named PKI-IPA.
It will install a CA instance into /var/lib/pki-ca.
A copy of the root CA certificate and private key will be put into /root/cacert.p12.
A copy of the CA agent certificate will be put into /root/ca-agent.p12. This agent certificate can be imported into a browser and used to administer CS using the web interface (not recommended).
If you have an existing CA you can use it make the IPA CA a subordinate.
This is a three-step process:
Run ipa-server-install
with whatever arguments are appropriate for your environment and include the --external_ca
flag:
<pre># ipa-server-install --external-ca </pre>
This will generate a CSR in /root/ipa.csr
. This is the file you need to provide to your CA for signing. You will also need to obtain a PEM copy of your CA trust chain.
Once you have both of these you can continue the installer:
<pre># ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/existing_ca.crt </pre>
The server caches the answers the first time you run the installer so you don't need to answer the questions again the second time. This cache is removed when the installer is run again.
The paths to the certificate and CA must be absolute paths. The dogtag silent installer will fail if they are not.
Once the installation is complete you will have the same files as a standalone IPA CA: /root/cacert.p12 and /root/ca-agent.p12.
The only difference is that the CA certificate is signed by your external CA in this mode and self-signed in the default mode.
If don't you want to use the new IPA CA features at all that is ok but you'll need to take a few extra steps.
There are two ways to achieve this:
The step setting enable_ra
to False
disables the cert plugin in the XML-RPC interface. Your IPA server will be unable to issue certificates.
To use the Install and Replace method do the following:
--selfsign
optionipa-server-certinstall
once for the DS and once for Apache to replace the server certificates/usr/share/ipa/html/configure.jar
/etc/ipa/ca.crt
and /usr/share/ipa/html/ca.crt
/etc/ipa/default.conf
and set enable_ra
to False
To use the Install your own method do the following:
--http_pkcs12
and --dirsrv_pkcs12
and their respective pin arguments. Your PKCS#12 files should contain the server cert, key and the CA cert chain./usr/share/ipa/html/configure.jar
/etc/ipa/ca.crt
and /usr/share/ipa/html/ca.crt
are correct/etc/ipa/default.conf
and set enable_ra
to False