Red Hat SummitChapter 31. Adding the IdM CA service to an IdM server in a deployment without a CA
If you previously installed an Identity Management (IdM) domain without the certificate authority (CA) component, you can add the IdM CA service to the domain to enable internal certificate management and enhance security.
For details on the supported CA configurations, see Planning your CA services.
31.1. Installing the first IdM CA as the root CA into an existing IdM domain
Install an Identity Management (IdM) certificate authority (CA) on an existing IdM server that was installed without a CA. You can provide local certificate services and maintain control over your security infrastructure without a dependency on an external root CA.
Prerequisites
-
You have
rootpermissions on idmserver. - The IdM server is installed on idmserver.
- Your IdM deployment has no CA installed.
-
You know the IdM
Directory Managerpassword.
Procedure
On idmserver, install the IdM Certificate Server CA:
[root@idmserver ~] ipa-ca-install
[root@idmserver ~] ipa-ca-installCopy to Clipboard Copied! Toggle word wrap Toggle overflow On each IdM host in the topology, run the
ipa-certupdateutility to update the host with the information about the new certificate from the IdM LDAP.ImportantIf you do not run
ipa-certupdateafter generating the IdM CA certificate, the certificate will not be distributed to the other IdM machines.
31.2. Installing the first IdM CA with an external CA as the root CA into an existing IdM domain
Install the Identity Management (IdM) CA subordinate to an external root CA to integrate with your existing certificate infrastructure. This setup configures the server to operate directly under the root or through intermediate authorities to establish trust.
Prerequisites
-
You have
rootpermissions on idmserver. - The IdM server is installed on idmserver.
- Your IdM deployment has no CA installed.
-
You know the IdM
Directory Managerpassword.
Procedure
Start the installation:
[root@idmserver ~] ipa-ca-install --external-ca
[root@idmserver ~] ipa-ca-install --external-caCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Wait till the command line informs you that a certificate signing request (CSR) has been saved.
- Submit the CSR to the external CA.
- Copy the issued certificate to the IdM server.
Continue the installation by adding the certificates and full path to the external CA files to
ipa-ca-install:ipa-ca-install --external-cert-file=/root/master.crt --external-cert-file=/root/ca.crt
[root@idmserver ~]# ipa-ca-install --external-cert-file=/root/master.crt --external-cert-file=/root/ca.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow On each IdM host in the topology, run the
ipa-certupdateutility to update the host with the information about the new certificate from the IdM LDAP.ImportantFailing to run
ipa-certupdateafter generating the IdM CA certificate means that the certificate will not be distributed to the other IdM machines.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}