Discussion:
[Freeipa-users] is ipa-cert-manage safe to use?
Harald Dunkel
2017-05-15 11:53:15 UTC
Permalink
Hi folks,

I have to renew (or replace) the externally signed certificate
on my ipa servers using a new ca. Apparently the tool of choice
is ipa-cacert-manage.

Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal.
Problem is, I cannot estimate the risk and if its worth the effort.
What happens to freeipa if ipa-cacert-manage fails miserably? Does it
affect the LDAP database or Kerberos? Will it break the connection
between my ipa servers or between servers and clients?

Would you suggest to forget all the "CA stuff" in freeipa and manage
the certificates externally?

The platform of the ipa servers is Centos 7.3. There are 100+
Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2.

I am highly concerned. Every helpful comment is appreciated.

Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
2017-05-15 14:44:41 UTC
Permalink
Post by Harald Dunkel
Hi folks,
I have to renew (or replace) the externally signed certificate
on my ipa servers using a new ca. Apparently the tool of choice
is ipa-cacert-manage.
Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal.
Problem is, I cannot estimate the risk and if its worth the effort.
What happens to freeipa if ipa-cacert-manage fails miserably? Does it
affect the LDAP database or Kerberos? Will it break the connection
between my ipa servers or between servers and clients?
Would you suggest to forget all the "CA stuff" in freeipa and manage
the certificates externally?
The platform of the ipa servers is Centos 7.3. There are 100+
Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2.
I am highly concerned. Every helpful comment is appreciated.
I'm confused. You mention replacing some "externally signed certificate"
and yet then ask switching to externally signed certificates. What is
the current configuration? What is signing the existing server certs? Or
do you have an external CA signing the IPA CA?

ipa-cacert-manage is for managing the CA certificate, not service
certificates.

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Harald Dunkel
2017-05-16 13:13:46 UTC
Permalink
Post by Rob Crittenden
I'm confused. You mention replacing some "externally signed certificate"
and yet then ask switching to externally signed certificates. What is
the current configuration? What is signing the existing server certs? Or
do you have an external CA signing the IPA CA?
The current servers have been installed with --external-ca. freeipa
created a csr, it was signed by an external CA and handed off back
to the freeipa server.

The question was if I should drop the whole certificate support
in freeipa. Its called "CA-less install", if I got this correctly.
I am not sure if it is possible to switch from external-ca to
CA-less.
Post by Rob Crittenden
ipa-cacert-manage is for managing the CA certificate, not service
certificates.
Sure. Point is that I don't see how a problem on replacing freeipa's
(externally signed) CA certificate by a new one affects freeipa.

Sorry to say, but at install time I did not had the impression,
that "ipa-server-install --external-ca" was thoroughly tested
before. I ran straight into a problem, but fortunately that didn't
matter, cause freeipa was not in production use, yet. (Look for
"ipa-server-install --external-ca failed" on this mailing list,
thread started 2015-12-15.)

Today it is in production use. If I brick freeipa today, then I
have a huge problem, so I am concerned.


Regards
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...