V4/CA-less to CA-full conversion
Allow converting an existing CA-less IPA deployment to CA-full.
IPA CA install
Allow installing the IPA CA on top of an existing CA-less deployment.
The ipa-ca-install command will be extended to allow installing IPA CA master in existing CA-less environment. Currently it can install IPA CA replicas from provided replica info file. Make the replica info file optional - when not provided, new IPA CA master will be installed. To allow installing externally signed CA, add the --external-ca, --external_ca_file and --external_cert_file options from ipa-server-install to ipa-ca-install.
Installing the CA will not cause existing service certificates to be replaced with new certificates issued by the CA. If necessary, this will have to be done manually, using ipa cert-request.
This requires IPA to support having multiple CA certificates (the old CA-less CA certificate and the new IPA CA certificate), which is implemented in the CA certificate renewal feature.
In order to properly install the CA on an existing deployment, the following has to be done:
- configure CA master instance, like in ipa-server-install,
- add CA related DNS records if DNS server is enabled,
- set enable_ra=True, ra_plugin=dogtag and dogtag_version=10 in /etc/ipa/default.conf,
- put the new IPA CA certificate chain into the /etc/dirsrv/slapd-REALM NSS database,
- put the old CA-less CA certificate into the /var/lib/pki/pki-tomcat/alias NSS database,
- restart DS, httpd and Dogtag.
IPA assumes the following nicknames (and subject names) of CA-related certificates in the /etc/httpd/alias and /etc/dirsrv/slapd-REALM NSS databases:
- REALM IPA CA (CN=Certificate Authority,SUBJECT_BASE),
- ipaCert (CN=IPA RA,SUBJECT_BASE),
- Signing-Cert (CN=Object Signing Cert,SUBJECT_BASE).
If any matching certificate is present prior to installing the CA, ipa-ca-install will refuse to continue.
See the design.
How to Test