Overview#

This page provides instructions to set up IPA for PKI development and testing. To set up IPA for production please refer to the official IPA documentation.

Installing IPA Server#

To install the first IPA server (i.e. master), execute the following command on the server:

$ ipa-server-install -U \
 -r EXAMPLE.COM \
 -p Secret.123 \
 -a Secret.123

To install IPA server with an existing SSL certificate:

$ ipa-server-install -U \
 -r EXAMPLE.COM \
 -p Secret.123 \
 -a Secret.123 \
 --dirsrv-cert-file=server.p12 \
 --dirsrv-pin Secret.123 \
 --http-cert-file=server.p12 \
 --http-pin Secret.123

To install IPA server with an externally signed CA certificate:

$ ipa-server-install -U \
 -r EXAMPLE.COM \
 -p Secret.123 \
 -a Secret.123 \
 --external-ca \
 --subject=O=EXAMPLE

It will generate a CSR at /root/ipa.csr. Submit the CSR to the CA to obtain the certificate (e.g. /root/ipa.crt), then execute the following command:

$ ipa-server-install -U \
 -r EXAMPLE.COM \
 -p Secret.123 \
 -a Secret.123 \
 --external-cert-file=/root/ipa.crt

Installing CA#

By default the IPA master will have a CA.

Installing KRA#

To install KRA, execute the following command on the server:

$ ipa-kra-install -p Secret.123

Installing IPA Client#

To install IPA client, execute the following command on the client:

$ ipa-client-install -U \
 --server server.example.com \
 --domain example.com \
 --realm EXAMPLE.COM \
 -p admin \
 -w Secret.123

Promoting IPA Client into Replica#

To promote IPA client into a replica, execute the following command on the client:

$ ipa-replica-install -U \
 -P admin \
 -w Secret.123

To promote IPA client using an existing server certificate:

$ ipa-replica-install -U \
 -P admin \
 -w Secret.123 \
 --dirsrv-cert-file server.p12 \
 --dirsrv-pin Secret.123 \
 --http-cert-file server.p12 \
 --http-pin Secret.123

Installing CA Clone#

By default IPA replica will not have a CA (unless –setup-ca was specified during IPA client promotion).

To install CA clone, execute the following command on the replica:

$ ipa-ca-install -p Secret.123

Installing KRA Clone#

By default IPA replica will not have a KRA (unless –setup-kra was specified during IPA client promotion).

To install KRA clone, execute the following command on the replica:

$ ipa-kra-install -p Secret.123

References#