this will let you add outside certs for the services that would be visible to users: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
It doesn’t actually turn off the CA functionality, but it becomes largely unused. I’d actually be interested in a way to completely move no CAless operation if there is one. > On Oct 3, 2019, at 5:15 AM, Marco V. via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > We've installed a replicated 7Server IPA setup with a internal CA. > Now, due to corporate policies we need to migrate to a no-CA setup (because > we need to use corporate signed Certificates > and a sub-CA is also not allowed..) So we need to migrate from 7Server > internal-CA replicated IPA to 8Server no-CA replicated IPA. > > ipa-replica-install does not support --ca-cert-file, so we cannot install the > new replica with the corporate certificates straight away. > What would be the correct procedure? > > I've come up with the following steps: > 1. install the new 8Server replicas without CA, (They will get the > self-signed certificates from existing 7Server master (first master)) > 2. first add corporate root CA to both 7Server and 8Server nodes systems > ca-bundle.trust.crt > 3. manually replace HTTP and LDAP certificates with corporated signed > certificates > 4. remove 7Server replica and first master, so we end up with the no-CA > 8Server nodes only > > I'm wondering whether replication will still be functional when performing > step 3, but I can perform additional testing on that. > We are running production with our setup, so we need a 'online' migration > strategy. > > Would this be the best approach or do I need another solution? ;-) > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
