Hi,
I know of one usage - all the IPA ansible modules (ipa_*) query for 'ipa-ca' record to find the IPA server. But for other cases - looks like IPA clients mostly rely on entries like '_kerberos.*' and '_ldap.*'...
What other functionality uses 'ipa-ca' record? Thanks.
--- Regards, Dmitry Perets
On 9/2/19 4:58 PM, Dmitry Perets via FreeIPA-users wrote:
Hi,
I know of one usage - all the IPA ansible modules (ipa_*) query for 'ipa-ca' record to find the IPA server. But for other cases - looks like IPA clients mostly rely on entries like '_kerberos.*' and '_ldap.*'...
What other functionality uses 'ipa-ca' record?
Hi,
Certificates are issued from IPA CA with the OCSP responder URI http://ipa-ca.$DOMAIN/ca/ocsp and CRL distribution point http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin (these are set in the certificate extensions).
flo
Thanks.
Regards, Dmitry Perets _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Certificates are issued from IPA CA with the OCSP responder URI http://ipa-ca.$DOMAIN/ca/ocsp and CRL distribution point http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin (these are set in the certificate extensions).
flo
Thanks! Does it have to be an IPA server with CA? What if it doesn't have CA component - will it forward the request to one of the IPA servers with CA?
On Mon, 02 Sep 2019, Dmitry Perets via FreeIPA-users wrote:
Certificates are issued from IPA CA with the OCSP responder URI http://ipa-ca.$DOMAIN/ca/ocsp and CRL distribution point http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin (these are set in the certificate extensions).
flo
Thanks! Does it have to be an IPA server with CA? What if it doesn't have CA component - will it forward the request to one of the IPA servers with CA?
It has to be CA component server. That's why we have ipa-ca -- it is an entry that is managed to have only IP addresses of CA servers. Technically, something else could front it but there are other issues with this approach.
In past we tried to use CNAME to point to CA master but it didn't work for HTTP end-points.
freeipa-users@lists.fedorahosted.org