Created Friday 01 December 2023
I've installed a standaline dogtag server to use an an off-line CA
I'm going to install FreeIPA on a proxmox LXC container and sign it's certificate with the dogtag CA
server. The lxc container will be unpriviliged.
After a CentOS 8 install from template, I had to install some extra packages;
Install part 1
replace the following below with your stuff;
-n your domani
-r your domain un upper case
-p a super secret password
-a a super secret password
no need for --forwarder if you have /etc/resolve.conf, as this is filled with these values
--setup-dns \
--no-ntp \
--setup-adtrust \
--setup-kra \
-n domain \
-r DOMAIN \
--netbios-name=GLI \
-p 'password' -a 'password' \
--external-ca
Install part 2
now cat /root/ipa.csr and copy
got to dogtag web, SSL End Users Services, Manual Certificate Manager Signing Certificate Enrollment.
Configure firewallste copied certificate and fill in your information
take note of request number
go back to, Agent Services, List Requests
find the certificate request and click it, and approve it
now go back and click list certificates and find it, as the approval page does not have the complete certificate
copy the base64 encoded part to /root/ipa.cert
go back to list certificates and click on the CA, which would be certificate 1
copy the base64 encoding part tp /root/dogtagca.cert
now run part 2
enter your super secret password
sucess message
Setup complete
- You must make sure these network ports are open:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
- You can now obtain a kerberos ticket using the command: 'kinit admin'
and the web user interface.
- Kerberos requires time synchronization between clients
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful