3.4. Examples: Installing with Different CA Configurations
- The Dogtag Certificate System can sign its own certificate. This means that the Dogtag Certificate System instance is a root CA. There are no higher CAs, and the root CA cna set its own certificate policies.This is the default configuration.
- The Dogtag Certificate System CA can be signed by an externally-hosted CA (such as Verisign). In that case, the external CA is the root CA, and the configured Dogtag Certificate System CA is subordinate to that root. This means that the certificates issued within the IdM domain are potentially subject to restrictions set by the root CA for attributes like the validity period.Referencing an external CA still uses a Dogtag Certificate System instance to issue all of the IdM domain certficates; the only difference is that the initial domain CA certificate is issued by a different CA.
certmonger) to manage IdM domain certificates.
3.4.1. Installing with an Internal Root CA
ipa-server-installcommand is run.
[root@server ~]# ipa-server-install ... &< ... The IPA Master Server will be configured with: Hostname: server.example.com IP address: 10.1.1.1 Domain name: example.com Realm name: EXAMPLE.COM Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. ... &< ... Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user ... Done configuring certificate server (pki-cad). ... &< ...
3.4.2. Installing Using an External CA
Basic Constraintoption be set to
CA=TRUEor that the Key Usage Extension be set on the signing certificate to allow it to sign certificates.
Example 3.2. Using an External CA
- Run the
ipa-server-installscript, using the
[root@server ~]# ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --external-ca
- The script sets up the NTP and Directory Server services as normal.
- The script completes the CA setup and returns information about where the certificate signing request (CSR) is located,
/root/ipa.csr. This request must be submitted to the external CA.
Configuring certificate server: Estimated time 6 minutes [1/4]: creating certificate server user [2/4]: creating pki-ca instance [3/4]: restarting certificate server [4/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install.
- Submit the request to the CA. The process differs for every service.It may be necessary to request the appropriate extensions for the certificate. The CA signing certificate generated for the Identity Management server must be a valid CA certificate. This requires either that the Basic Constraint be set to CA=true or that the Key Usage Extension be set on the signing certificate to allow it to sign certificates.
- Retrieve the issued certificate and the CA certificate chain for the issuing CA. Again, the process differs for every certificate service, but there is usually a download link on a web page or in the notification email that allows administrators to download all the required certificates. Be sure to get the full certificate chain for the CA, not just the CA certificate.
ipa-server-install, specifying the locations and names of the certificate and CA chain files. For example:
[root@server ~]# ipa-server-install --external_cert_file=/tmp/servercert20110601.p12 --external_ca_file=/tmp/cacert.p12
- Complete the setup process and verify that everything is working as expected, as in Section 3.3.1, “Basic Interactive Installation”.
3.4.3. Installing without a CA
- An LDAP server certificate
- An Apache server certificate
- An LDAP server certificate
certmongeris not used to track certificates, so there is no expiration warning.
- There is no way to renew certificates through Identity Management.
- The certificate management tools (
ipa cert-*) cannot be used to view or manage certificates.
- All host certificates and any service certificates must be requested, generated, and uploaded manually. This also affects how host management tools like
- If a certificate is removed from an entry, it is not automatically revoked.
Example 3.3. Installing Identity Management Without a CA
- LDAP server certificate
- --dirsrv_pkcs12, with the PKCS#12 certificate file for the LDAP server certificate
- --dirsrv_pin, with the password to access the PKCS#12 file
- Apache server certificate
- --http_pkcs12, with the PKCS#12 certificate file for the Apache server certificate
- --http_pin, with the password to access the PKCS#12 file
- Root CA certificate (to allow the Apache and LDAP server certificates to be trusted across the domain)
[root@server ~]# ipa-server-install --http_pkcs12 /tmp-http-server.p12 --http_pin secret1 --dirsrv_pkcs12 /tmp/ldap-server.p12 --dirsrv_pin secret2 ...