Overview#
This page provides instructions to set up IPA for PKI development and testing. To set up IPA for production please refer to the official IPA documentation.
Installing IPA Packages#
Fedora packages#
To install the packages:
$ dnf install freeipa-server
Sometimes it’s necessary to add –allowerasing.
To upgrade the packages:
$ dnf update freeipa-server
RHEL packages#
To install the packages:
$ yum install ipa-server
Installing IPA Server#
Basic IPA server#
$ ipa-server-install -a Secret.123 -p Secret.123 -r EXAMPLE.COM -U
IPA server with externally-signed CA#
Run IPA installation step 1 to generate a CSR:
$ ipa-server-install -a Secret.123 -p Secret.123 -r EXAMPLE.COM --external-ca -U
Create an NSS database:
$ mkdir nssdb
$ echo Secret.123 > nssdb/password.txt
$ certutil -N -d nssdb -f nssdb/password.txt
Create an external CA certificate:
$ openssl rand -out nssdb/noise.bin 2048
$ echo -e "y\n\ny\n" | \
certutil -S \
-d nssdb \
-f nssdb/password.txt \
-z nssdb/noise.bin \
-n "External CA" \
-s "CN=External CA,O=EXTERNAL" \
-x \
-t "CTu,CTu,CTu" \
-m $RANDOM\
-2 \
--keyUsage certSigning \
--nsCertType sslCA,smimeCA,objectSigningCA
$ certutil -L -d nssdb -n "External CA" -a > /root/external.crt
Sign the CSR:
$ echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
certutil -C \
-d nssdb \
-f nssdb/password.txt \
-m $RANDOM \
-a -i /root/ipa.csr \
-o /root/ipa.crt \
-c "External CA" \
-1 -2
Run IPA installation step 2 to complete the installation:
$ ipa-server-install -p Secret.123 --external_cert_file /root/ipa.crt --external_ca_file /root/external.crt
Cloning IPA Server#
Fedora 23 replica#
On master:
$ ipa-replica-prepare <replica hostname> -p Secret.123
It will generate /var/lib/ipa/replica-info-.gpg. To verify the content, see GPG. Transfer this file to the replica.
On replica:
$ ipa-replica-install --setup-ca --setup-kra --setup-dns --no-forwarders replica-info-<replica hostname>.gpg
If installation fails, the replication agreement may need to be cleaned up manually on master:
$ ipa-replica-manage del <replica hostname> --force
Fedora 24 replica#
On replica, install IPA client:
$ ipa-client-install
Promote the client to become replica:
$ ipa-replica-install
RHEL 7 replica#
On RHEL 6 master:
$ python copy-schema-to-ca.py
$ ipa-replica-prepare <replica hostname> -p Secret.123
It will generate /var/lib/ipa/replica-info-.gpg. Transfer this file to the replica.
On RHEL 7 replica:
$ ipa-replica-install --setup-ca --setup-dns --no-forwarders replica-info-<replica hostname>.gpg
Uninstalling IPA Server#
$ ipa-server-install --uninstall -U