Signing IPA certitificate

We can have the IPA server CA signed by our root CA.

Perform the IPA server installation using the –external-ca option. This will create the /root/ipa.csr signing request on the IPA server – copy this to the CA server for signing.

scp /root/ipa.csr caserver:/etc/pki/CA/intermediate/csr

Sign the IPA CA

We will sign the IPA request using the v3_intermediate_ca rules, but also using the policy_loose policy. The IPA CSR will not contain all mandatory fields for a root CA, so the loose policy we defined allows these to be optional.

openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
  -days 3650 -notext -md sha256 \
  -policy policy_loose \
  -in intermediate/csr/ipa.csr \
  -out intermediate/certs/ipa.pem

Installing the certs into IPA

Transfer the signed certificate (intermediate/certs/ipa.pem) back to the IPA server, along with the root CA (certs/GatwardIT-CA2.pem), and continue the IPA installation using:

ipa-server-install --external-cert-file=/root/ipa.pem \
  --external-cert-file=/root/GatwardIT-CA2.pem