Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
26.8. Installing a CA Into an Existing IdM Domain
If an IdM domain was installed without a Certificate Authority (CA), you can install the CA services subsequently. Depending on your environment, you can install the IdM Certificate Server CA or use an external CA.
Note
For details on the supported CA configurations, see Section 2.3.2, “Determining What CA Configuration to Use”.
- Installing an IdM Certificate Server
- Use the following command to install the IdM Certificate Server CA:
[root@ipa-server ~] ipa-ca-install
- Run the
ipa-certupdateutility on all servers and clients to update them with the information about the new certificate from LDAP. You must runipa-certupdateon every server and client separately.ImportantAlways runipa-certupdateafter manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
- Installing External CA
- The subsequent installation of an external CA consists of multiple steps:
- Start the installation:
[root@ipa-server ~] ipa-ca-install --external-ca
After this step an information is shown that a certificate signing request (CSR) was saved. Submit the CSR to the external CA and copy the issued certificate to the IdM server. - Continue the installation with passing the certificates and full path to the external CA files to
ipa-ca-install:[root@ipa-server ~]# ipa-ca-install --external-cert-file=/root/master.crt --external-cert-file=/root/ca.crt
- Run the
ipa-certupdateutility on all servers and clients to update them with the information about the new certificate from LDAP. You must runipa-certupdateon every server and client separately.ImportantAlways runipa-certupdateafter manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
The CA installation does not replace the existing service certificates for the LDAP and web server with ones issued by the new installed CA. For details how to replace the certificates, see Section 26.9, “Replacing the Web Server's and LDAP Server's Certificate”.
