Show Table of Contents
26.8. Installing a CA Into an Existing IdM Domain
If an IdM domain was installed without a Certificate Authority (CA), you can install the CA services subsequently. Depending on your environment, you can install the IdM Certificate Server CA or use an external CA.
Note
For details on the supported CA configurations, see Section 2.3.2, “Determining What CA Configuration to Use”.
- Installing an IdM Certificate Server
- Use the following command to install the IdM Certificate Server CA:
[root@ipa-server ~] ipa-ca-install
- Run the
ipa-certupdateutility on all servers and clients to update them with the information about the new certificate from LDAP. You must runipa-certupdateon every server and client separately.Important
Always runipa-certupdateafter manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
- Installing External CA
- The subsequent installation of an external CA consists of multiple steps:
- Start the installation:
[root@ipa-server ~] ipa-ca-install --external-ca
After this step an information is shown that a certificate signing request (CSR) was saved. Submit the CSR to the external CA and copy the issued certificate to the IdM server. - Continue the installation with passing the certificates and full path to the external CA files to
ipa-ca-install:[root@ipa-server ~]# ipa-ca-install --external-cert-file=/root/master.crt --external-cert-file=/root/ca.crt
- Run the
ipa-certupdateutility on all servers and clients to update them with the information about the new certificate from LDAP. You must runipa-certupdateon every server and client separately.Important
Always runipa-certupdateafter manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
The CA installation does not replace the existing service certificates for the LDAP and web server with ones issued by the new installed CA. For details how to replace the certificates, see Section 26.9, “Replacing the Web Server's and LDAP Server's Certificate”.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.