Overview#
This page provides instructions to set up IPA for PKI development and testing. To set up IPA for production please refer to the official IPA documentation.
Installing IPA Server#
To install the first IPA server (i.e. master), execute the following command on the server:
$ ipa-server-install -U \
-r EXAMPLE.COM \
-p Secret.123 \
-a Secret.123
To install IPA server with an existing SSL certificate:
$ ipa-server-install -U \
-r EXAMPLE.COM \
-p Secret.123 \
-a Secret.123 \
--dirsrv-cert-file=server.p12 \
--dirsrv-pin Secret.123 \
--http-cert-file=server.p12 \
--http-pin Secret.123
To install IPA server with an externally signed CA certificate:
$ ipa-server-install -U \
-r EXAMPLE.COM \
-p Secret.123 \
-a Secret.123 \
--external-ca \
--subject=O=EXAMPLE
It will generate a CSR at /root/ipa.csr. Submit the CSR to the CA to obtain the certificate (e.g. /root/ipa.crt), then execute the following command:
$ ipa-server-install -U \
-r EXAMPLE.COM \
-p Secret.123 \
-a Secret.123 \
--external-cert-file=/root/ipa.crt
Installing CA#
By default the IPA master will have a CA.
Installing KRA#
To install KRA, execute the following command on the server:
$ ipa-kra-install -p Secret.123
Installing IPA Client#
To install IPA client, execute the following command on the client:
$ ipa-client-install -U \
--server server.example.com \
--domain example.com \
--realm EXAMPLE.COM \
-p admin \
-w Secret.123
Promoting IPA Client into Replica#
To promote IPA client into a replica, execute the following command on the client:
$ ipa-replica-install -U \
-P admin \
-w Secret.123
To promote IPA client using an existing server certificate:
$ ipa-replica-install -U \
-P admin \
-w Secret.123 \
--dirsrv-cert-file server.p12 \
--dirsrv-pin Secret.123 \
--http-cert-file server.p12 \
--http-pin Secret.123
Installing CA Clone#
By default IPA replica will not have a CA (unless –setup-ca was specified during IPA client promotion).
To install CA clone, execute the following command on the replica:
$ ipa-ca-install -p Secret.123
Installing KRA Clone#
By default IPA replica will not have a KRA (unless –setup-kra was specified during IPA client promotion).
To install KRA clone, execute the following command on the replica:
$ ipa-kra-install -p Secret.123