Wednesday, February 7, 2024

[SOLVED] How to find .crt file installed by default of FreeIPA?

Issue

Use this guide installed FreeIPA with SSL: https://www.howtoforge.com/how-to-install-freeipa-server-on-centos-7/

yum install ipa-server bind-dyndb-ldap ipa-server-dns -y
ipa-server-install --setup-dns

After finish it, it can be accessed by https://ipa.hakase-labs.io/.

There are two files generated on the /root/ path:

  • ca-agent.p12
  • cacert.p12

If use a self-prepared CA file, we can know where the .crt file is. And set it to a client server in order to connect to the LDAP(FreeIPA) server.

But where is it by the default way?


Solution

I don't see how this question is related to programming, maybe move it to ServerFault.

And it's not clear what you want to do exactly. You don't want to install an embedded CA within the IPA Server, but it's unclear if you're going to use an external CA or no CA at all. In the first case this means the IPA Server would still automatically update the certificates, while the second case means you would update yourself when it is necessary.

The best entry point is the Linux Domain Identity, Authentication, and Policy Guide

If you're not going to use any CA at all, see section 2.3.6 :

# ipa-server-install \
    --http-cert-file /tmp/server.crt \
    --http-cert-file /tmp/server.key \
    --http-pin secret \
    --dirsrv-cert-file /tmp/server.crt \
    --dirsrv-cert-file /tmp/server.key \
    --dirsrv-pin secret \
    --ca-cert-file ca.crt


Answered By - Eugène Adell
Answer Checked By - Gilberto Lyons (WPSolving Admin)