Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

26.8. Installing a CA Into an Existing IdM Domain

If an IdM domain was installed without a Certificate Authority (CA), you can install the CA services subsequently. Depending on your environment, you can install the IdM Certificate Server CA or use an external CA.

Note

For details on the supported CA configurations, see Section 2.3.2, “Determining What CA Configuration to Use”.
Installing an IdM Certificate Server
  1. Use the following command to install the IdM Certificate Server CA:
    [root@ipa-server ~] ipa-ca-install
  2. Run the ipa-certupdate utility on all servers and clients to update them with the information about the new certificate from LDAP. You must run ipa-certupdate on every server and client separately.

    Important

    Always run ipa-certupdate after manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
Installing External CA
The subsequent installation of an external CA consists of multiple steps:
  1. Start the installation:
    [root@ipa-server ~] ipa-ca-install --external-ca
    After this step an information is shown that a certificate signing request (CSR) was saved. Submit the CSR to the external CA and copy the issued certificate to the IdM server.
  2. Continue the installation with passing the certificates and full path to the external CA files to ipa-ca-install:
    [root@ipa-server ~]# ipa-ca-install --external-cert-file=/root/master.crt --external-cert-file=/root/ca.crt
  3. Run the ipa-certupdate utility on all servers and clients to update them with the information about the new certificate from LDAP. You must run ipa-certupdate on every server and client separately.

    Important

    Always run ipa-certupdate after manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
The CA installation does not replace the existing service certificates for the LDAP and web server with ones issued by the new installed CA. For details how to replace the certificates, see Section 26.9, “Replacing the Web Server's and LDAP Server's Certificate”.