Fedora 15 documentation contained a procedure how to promote a self-signed replica to master capable of issuing certificates.
I could not find it in current documentation, I think we should return the procedure back. I managed to create a working procedure that could be used:
1) Install replica # ipa-replica-install 2) Copy CA serial number setting from master to replica: # scp /var/lib/ipa/ca_serialno root@REPLICA:/var/lib/ipa/ 3) On replica, set correct owner and permissions: # chown root:apache /var/lib/ipa/ca_serialno # chmod 550 /var/lib/ipa/ca_serialno 4) Restore SELinux context on serial file: # restorecon /var/lib/ipa/ca_serialno 5) Copy master CA certificate and pwdfile.txt to replica: scp /etc/httpd/alias/cacert.p12 /etc/httpd/alias/pwdfile.txt root@REPLICA:~/ 7) On replica, import the CA certificate: # pk12util -i ~/cacert.p12 -w ~/pwdfile.txt -d /etc/httpd/alias/ -k /etc/httpd/alias/pwdfile.txt 8) The list of certificates in NSS database (including the one imported) can be listed with: # certutil -L -d /etc/httpd/alias/ However, since pk12util import util is not capable of setting a correct certificate nickname, the imported certificate will have a nickname like ""CN=$REALM Certificate Authority", which is not recognized by IPA certificate system. The following procedure can be used set a correct nickname of the certificate (replace $REALM with your realm): a) Export the certificate # certutil -d /etc/httpd/alias/ -L -n 'CN=$REALM Certificate Authority' -a > ~/cacert.crt b) Delete the old certificate (NSS database /etc/httpd/alias/ should be backed up before this step): # certutil -d /etc/httpd/alias/ -D -n 'CN=$REALM Certificate Authority' c) Import the certificate with correct nickname: # certutil -A -n "$REALM IPA CA" -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt -i /root/cacert.crt -a -t CTu,u,Cu 9) Enable certificate operations on IPA replica: # echo "enable_ra=True" >> /etc/ipa/default.conf 10) Reload web server to pick up new configuration: # service httpd reload
Put into Fedora docs only.
Then we should put it on the wiki.
I added the page to [wiki] and linked it to the http://www.freeipa.org/page/HowTos HOWTO page.
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.1 Stabilization
Login to comment on this ticket.