Skip to content

Support for external CA

Patrick Brideau requested to merge teluq-pbrideau/puppet-freeipa:feat/external-ca into master

Partial implement of the #95 (closed) issue. The CSR will be generated, and ready to be signed by an external CA.

My change does not support the usage of $external_cert_files described in previous issue, only the generation of the CSR.

In my opinion, the workflow is not very good if you have to run puppet, then sign the CSR, then commit your addition of the CRT to puppet, then run puppet again, all during the setup of the IPA server…

In my setup, once puppet run is completed, the CSR will be available in /root/ipa.csr. After it has been signed by your external CA, you must complete the installation process manually on the server:

ipa-server-install \
    --external-cert-file /root/ipa.crt \
    --external-cert-file /root/ca.crt

Note I also added a line about ca_subject in the README.md, my other merge request that is related to this one: !135

It is also quite hard to make test about this change, as it would have to be in an acceptance test, and would require multiple phases (run, then sign CSR, then run again…). So I simply test if the code compile in unit test.

Merge request reports