Questo contenuto non è disponibile nella lingua selezionata.
3.4. Examples: Installing with Different CA Configurations
			Identity Management uses an integrated certificate authority (CA) to create the certificates and keytabs used by users and hosts within the domain. Even internal domain services, such as the LDAP server and the Apache server for the Identity Management web UI, require server certificates to establish secure connections with each other.
		
			A Dogtag Certificate System CA is almost always installed with the IdM server. That CA uses a CA signing certificate to create and sign all of the server and user certificates created within the IdM domain. That CA certificate itself has to be signed by the CA which issued it, and there are two different ways that a CA can sign the Dogtag Certificate System CA signing certificate:
		
- The Dogtag Certificate System can sign its own certificate. This means that the Dogtag Certificate System instance is a root CA. There are no higher CAs, and the root CA cna set its own certificate policies.This is the default configuration.
- The Dogtag Certificate System CA can be signed by an externally-hosted CA (such as Verisign). In that case, the external CA is the root CA, and the configured Dogtag Certificate System CA is subordinate to that root. This means that the certificates issued within the IdM domain are potentially subject to restrictions set by the root CA for attributes like the validity period.Referencing an external CA still uses a Dogtag Certificate System instance to issue all of the IdM domain certficates; the only difference is that the initial domain CA certificate is issued by a different CA.
			There is one other option: installing without a CA at all. This requires that all certificates used within the IdM domain be created, uploaded, and renewed manually. There may be some environments where the additional maintenance burden is sustainable because of other restrictions within the infrastructure, but, in general, most deployments will use an integrated Dogtag Certificate System instance (and 
certmonger) to manage IdM domain certificates.
		Important
				It is not possible to change the CA configuration after the domain is created and it is not possible to migrate from one configuration to another. It is crucial that the CA requirements be considered before beginning the installation process.
			
3.4.1. Installing with an Internal Root CA
Copia collegamentoCollegamento copiato negli appunti!
				The default configuration is to install a Dogtag Certificate System which signs its own root CA certificate. There are no additional parameters or configuration steps required when the 
ipa-server-install command is run.
			3.4.2. Installing Using an External CA
Copia collegamentoCollegamento copiato negli appunti!
				The IdM server can use a certificate issued by an external CA. This can be a corporate CA or a third-party CA like Verisign or Thawte. As with a normal setup process, using an external CA still uses a Dogtag Certificate System instance for the IdM server for issuing all of its client and replica certificates; the initial CA certificate is simply issued by a different CA.
			
				When using an external CA, there are two additional steps that must be performed: submit the generated certificate request to the external CA and then load the CA certificate and issued server certificate to complete the setup.
			
Important
					The CA signing certificate generated for the Identity Management server must be a valid CA certificate. This requires either that the 
Basic Constraint option be set to CA=TRUE or that the Key Usage Extension be set on the signing certificate to allow it to sign certificates.
				Important
					It is not possible to change the CA configuration after the domain is created and it is not possible to migrate from one configuration to another. It is crucial that the CA requirements be considered before beginning the installation process.
				
Example 3.2. Using an External CA
- Run theipa-server-installscript, using the--external-caoption.ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --external-ca [root@server ~]# ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --external-caCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- The script sets up the NTP and Directory Server services as normal.
- The script completes the CA setup and returns information about where the certificate signing request (CSR) is located,/root/ipa.csr. This request must be submitted to the external CA.Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Submit the request to the CA. The process differs for every service.It may be necessary to request the appropriate extensions for the certificate. The CA signing certificate generated for the Identity Management server must be a valid CA certificate. This requires either that the Basic Constraint be set to CA=true or that the Key Usage Extension be set on the signing certificate to allow it to sign certificates.
- Retrieve the issued certificate and the CA certificate chain for the issuing CA. Again, the process differs for every certificate service, but there is usually a download link on a web page or in the notification email that allows administrators to download all the required certificates. Be sure to get the full certificate chain for the CA, not just the CA certificate.
- Rerunipa-server-install, specifying the locations and names of the certificate and CA chain files. For example:ipa-server-install --external_cert_file=/tmp/servercert20110601.p12 --external_ca_file=/tmp/cacert.p12 [root@server ~]# ipa-server-install --external_cert_file=/tmp/servercert20110601.p12 --external_ca_file=/tmp/cacert.p12Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Complete the setup process and verify that everything is working as expected, as in Section 3.3.1, “Basic Interactive Installation”.
3.4.3. Installing without a CA
Copia collegamentoCollegamento copiato negli appunti!
				In very rare cases, it may not be possible to install certificate services with the Identity Management server. In that case, it is possible to install Identity Management without an integrated Certificate System instance, as long as all required certificates are created and installed independently.
			
				For installation, three certificates are required:
			
- An LDAP server certificate
- An Apache server certificate
- An LDAP server certificate
				This certificates must be requested from a third-party authority before beginning the installation process.
			
				There are some important limitations with how certificates can be managed when there is no integrated Dogtag Certificate System instance:
			
- certmongeris not used to track certificates, so there is no expiration warning.
- There is no way to renew certificates through Identity Management.
- The certificate management tools (ipa cert-*) cannot be used to view or manage certificates.
- All host certificates and any service certificates must be requested, generated, and uploaded manually. This also affects how host management tools likeipa host-addfunction.
- If a certificate is removed from an entry, it is not automatically revoked.
Important
					It is not possible to change the CA configuration after the domain is created and it is not possible to migrate from one configuration to another. It is crucial that the CA requirements be considered before beginning the installation process.
				
Example 3.3. Installing Identity Management Without a CA
					There are five options required when installing without a CA, to pass the required certificates directly to the setup process:
				
- LDAP server certificate- --dirsrv_pkcs12, with the PKCS#12 certificate file for the LDAP server certificate
- --dirsrv_pin, with the password to access the PKCS#12 file
 
- Apache server certificate- --http_pkcs12, with the PKCS#12 certificate file for the Apache server certificate
- --http_pin, with the password to access the PKCS#12 file
 
- Root CA certificate (to allow the Apache and LDAP server certificates to be trusted across the domain)
ipa-server-install --http_pkcs12 /tmp-http-server.p12 --http_pin secret1 --dirsrv_pkcs12 /tmp/ldap-server.p12 --dirsrv_pin secret2 ...
[root@server ~]# ipa-server-install --http_pkcs12 /tmp-http-server.p12 --http_pin secret1 --dirsrv_pkcs12 /tmp/ldap-server.p12 --dirsrv_pin secret2 ...