- Red Hat tarafında bu dokumanı takip ettim: How to add third party certificates for HTTP/LDAP in IPA - Red Hat Customer Portal
- Sunucuların mevcut AD domain içinde konumlanabileceğini fark ettim. Örnek: ornek.com AD tarafından yönetilen bir DS olduğunu farzedersek sunucular “idm1.ornek.com” ve “idm2.ornek.com” olarak yapılandırılabilir, sadece kerberos name kısmında IDM.ORNEK.COM secimi yapılması yeterli oluyor.
- Sertifikalar kurumun CA kullanılacak ise 1. Nolu madde belirtilen yol aşağıdaki gibi izlenebilir.
#idm01 ücerinde işlemlere başlıyorum.
grep -i turk /etc/ssl/certs/ca-bundle.*
##işlemlere başlamadan önce yedek alınır.
tar zcvf /root/yedek/sertifika_calismasidir.tgz /etc/dirsrv/slapd-IDM-DMZ-LOCAL/ /etc/httpd/alias /var/lib/certmonger /var/lib/ipa/certs
##kurumun 2 adet CA sertifikası yüklenir bu işlem bir IDM sunucu üzerinde yapılması yeterlidir.
[root@idm01 sertifikalar]# ipa-cacert-manage -p *** -n "Firma Turk Trust Network" -t C,, install ca-root.crt
Installing CA certificate, please wait
Verified Firma Turk Trust Network
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@idm01 sertifikalar]# ipa-cacert-manage list
IDM.DMZ.LOCAL IPA CA
Firma Turk Trust Network
The ipa-cacert-manage command was successful
[root@idm01 sertifikalar]#
[root@idm01 sertifikalar]# ipa-cacert-manage -p *** -n "Firma Turk Wireless Network" -t C,, install ca-sub.crt
Installing CA certificate, please wait
Verified Firma Turk Wireless Network
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@idm01 sertifikalar]# ipa-cacert-manage list
IDM.DMZ.LOCAL IPA CA
Firma Turk Trust Network
Firma Turk Wireless Network
The ipa-cacert-manage command was successful
[root@idm01 sertifikalar]#
bu işlem tüm IDM sunucuları üzerinde sertifika işlemleri yapıldığında yapılmalıdır ( HER IDM SUNUCU ÜZERİNDE)
[root@idm01 sertifikalar]# ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
[root@idm01 sertifikalar]#
[root@idm01 sertifikalar]# ipa-server-certinstall -w -d idm01_pkcs8_pem.key idm01.cer
Directory Manager password:
Enter private key unlock password:
Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
[root@idm01 sertifikalar]#
[root@idm01 sertifikalar]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@idm01 sertifikalar]#
[root@idm02 sertifikalar]# ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
[root@idm02 sertifikalar]# ipa-server-certinstall -w -d idm02_pkcs8_pem.key idm02.cer
Directory Manager password:
Enter private key unlock password:
Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
[root@idm02 sertifikalar]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@idm02 sertifikalar]#