3.4. Examples: Installing with Different CA Configurations

Identity Management uses an integrated certificate authority (CA) to create the certificates and keytabs used by users and hosts within the domain. Even internal domain services, such as the LDAP server and the Apache server for the Identity Management web UI, require server certificates to establish secure connections with each other.
A Dogtag Certificate System CA is almost always installed with the IdM server. That CA uses a CA signing certificate to create and sign all of the server and user certificates created within the IdM domain. That CA certificate itself has to be signed by the CA which issued it, and there are two different ways that a CA can sign the Dogtag Certificate System CA signing certificate:
  • The Dogtag Certificate System can sign its own certificate. This means that the Dogtag Certificate System instance is a root CA. There are no higher CAs, and the root CA cna set its own certificate policies.
    This is the default configuration.
  • The Dogtag Certificate System CA can be signed by an externally-hosted CA (such as Verisign). In that case, the external CA is the root CA, and the configured Dogtag Certificate System CA is subordinate to that root. This means that the certificates issued within the IdM domain are potentially subject to restrictions set by the root CA for attributes like the validity period.
    Referencing an external CA still uses a Dogtag Certificate System instance to issue all of the IdM domain certficates; the only difference is that the initial domain CA certificate is issued by a different CA.
There is one other option: installing without a CA at all. This requires that all certificates used within the IdM domain be created, uploaded, and renewed manually. There may be some environments where the additional maintenance burden is sustainable because of other restrictions within the infrastructure, but, in general, most deployments will use an integrated Dogtag Certificate System instance (and certmonger) to manage IdM domain certificates.

Important

It is not possible to change the CA configuration after the domain is created and it is not possible to migrate from one configuration to another. It is crucial that the CA requirements be considered before beginning the installation process.

3.4.1. Installing with an Internal Root CA

The default configuration is to install a Dogtag Certificate System which signs its own root CA certificate. There are no additional parameters or configuration steps required when the ipa-server-install command is run.
[root@server ~]# ipa-server-install
... &< ...

The IPA Master Server will be configured with:
Hostname:      server.example.com
IP address:    10.1.1.1
Domain name:   example.com
Realm name:    EXAMPLE.COM

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

... &< ...

Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
...
Done configuring certificate server (pki-cad).

... &< ...

3.4.2. Installing Using an External CA

The IdM server can use a certificate issued by an external CA. This can be a corporate CA or a third-party CA like Verisign or Thawte. As with a normal setup process, using an external CA still uses a Dogtag Certificate System instance for the IdM server for issuing all of its client and replica certificates; the initial CA certificate is simply issued by a different CA.
When using an external CA, there are two additional steps that must be performed: submit the generated certificate request to the external CA and then load the CA certificate and issued server certificate to complete the setup.

Important

The CA signing certificate generated for the Identity Management server must be a valid CA certificate. This requires either that the Basic Constraint option be set to CA=TRUE or that the Key Usage Extension be set on the signing certificate to allow it to sign certificates.

Important

It is not possible to change the CA configuration after the domain is created and it is not possible to migrate from one configuration to another. It is crucial that the CA requirements be considered before beginning the installation process.

Example 3.2. Using an External CA

  1. Run the ipa-server-install script, using the --external-ca option.
    [root@server ~]# ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --external-ca
  2. The script sets up the NTP and Directory Server services as normal.
  3. The script completes the CA setup and returns information about where the certificate signing request (CSR) is located, /root/ipa.csr. This request must be submitted to the external CA.
    Configuring certificate server: Estimated time 6 minutes
      [1/4]: creating certificate server user
      [2/4]: creating pki-ca instance
      [3/4]: restarting certificate server
      [4/4]: configuring certificate server instance
    The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install.
  4. Submit the request to the CA. The process differs for every service.
    It may be necessary to request the appropriate extensions for the certificate. The CA signing certificate generated for the Identity Management server must be a valid CA certificate. This requires either that the Basic Constraint be set to CA=true or that the Key Usage Extension be set on the signing certificate to allow it to sign certificates.
  5. Retrieve the issued certificate and the CA certificate chain for the issuing CA. Again, the process differs for every certificate service, but there is usually a download link on a web page or in the notification email that allows administrators to download all the required certificates. Be sure to get the full certificate chain for the CA, not just the CA certificate.
  6. Rerun ipa-server-install, specifying the locations and names of the certificate and CA chain files. For example:
    [root@server ~]# ipa-server-install --external_cert_file=/tmp/servercert20110601.p12 --external_ca_file=/tmp/cacert.p12
  7. Complete the setup process and verify that everything is working as expected, as in Section 3.3.1, “Basic Interactive Installation”.

3.4.3. Installing without a CA

In very rare cases, it may not be possible to install certificate services with the Identity Management server. In that case, it is possible to install Identity Management without an integrated Certificate System instance, as long as all required certificates are created and installed independently.
For installation, three certificates are required:
  • An LDAP server certificate
  • An Apache server certificate
  • An LDAP server certificate
This certificates must be requested from a third-party authority before beginning the installation process.
There are some important limitations with how certificates can be managed when there is no integrated Dogtag Certificate System instance:
  • certmonger is not used to track certificates, so there is no expiration warning.
  • There is no way to renew certificates through Identity Management.
  • The certificate management tools (ipa cert-*) cannot be used to view or manage certificates.
  • All host certificates and any service certificates must be requested, generated, and uploaded manually. This also affects how host management tools like ipa host-add function.
  • If a certificate is removed from an entry, it is not automatically revoked.

Important

It is not possible to change the CA configuration after the domain is created and it is not possible to migrate from one configuration to another. It is crucial that the CA requirements be considered before beginning the installation process.

Example 3.3. Installing Identity Management Without a CA

There are five options required when installing without a CA, to pass the required certificates directly to the setup process:
  • LDAP server certificate
    • --dirsrv_pkcs12, with the PKCS#12 certificate file for the LDAP server certificate
    • --dirsrv_pin, with the password to access the PKCS#12 file
  • Apache server certificate
    • --http_pkcs12, with the PKCS#12 certificate file for the Apache server certificate
    • --http_pin, with the password to access the PKCS#12 file
  • Root CA certificate (to allow the Apache and LDAP server certificates to be trusted across the domain)
[root@server ~]# ipa-server-install --http_pkcs12 /tmp-http-server.p12 --http_pin secret1 --dirsrv_pkcs12 /tmp/ldap-server.p12 --dirsrv_pin secret2 ...