We have a certificate authority with Freeipa and I try to put in place a subordinate CA with Freeipa too.
I started the installation of the subordinate CA with the ipa-server-install --external-ca command. The result is an ipa.csr file.
The Freeipa documentation says I have to have the certificate signed by the root CA:
This will generate a CSR in /root/ipa.csr. This is the file you need to provide to your CA for signing. You will also need to obtain a PEM copy of your CA trust chain.
Once you have both of these you can continue the installer
But there is no details.
The ipa-getcert request command tells Certmonger to generate a signing request and to submit the request to for signing to a CA.
I would like just to sign the CSR by the root CA (because I already have the CSR automatically generated during the installation). How to do that please?
Thank you a lot!
Best Answer
The
--external-caflag is used only if you want FreeIPA to be a "subordinate" CA off of an external CA. For example, if you have Active Directory, and you want AD to be your root CA. If FreeIPA is going to be your root CA, then you don't need the--external-caflag.The best thing to do in this case would be to reinstall your OS, and start over.