hi,
at work I am testing using a light sub-ca with openvpn to limit the scope of hosts that can auto request a certificate.
So far so good, really impressed with how well it works.
The question I cannot answer is: are there specific urls for crl/ocsp for sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well?
Thanks for your support.
Regards, -- Groeten, natxo
On to, 31 tammi 2019, Natxo Asenjo via FreeIPA-users wrote:
hi,
at work I am testing using a light sub-ca with openvpn to limit the scope of hosts that can auto request a certificate.
So far so good, really impressed with how well it works.
The question I cannot answer is: are there specific urls for crl/ocsp for sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well?
There is no CRL support for subCAs. OCSP should work just fine.
See https://bugzilla.redhat.com/show_bug.cgi?id=1478394 for details.
On Thu, Jan 31, 2019 at 10:30:36PM +0200, Alexander Bokovoy via FreeIPA-users wrote:
On to, 31 tammi 2019, Natxo Asenjo via FreeIPA-users wrote:
hi,
at work I am testing using a light sub-ca with openvpn to limit the scope of hosts that can auto request a certificate.
So far so good, really impressed with how well it works.
The question I cannot answer is: are there specific urls for crl/ocsp for sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well?
There is no CRL support for subCAs. OCSP should work just fine.
See https://bugzilla.redhat.com/show_bug.cgi?id=1478394 for details.
To expand on Alexander's reply, the OCSP URL is indeed the same. This works because all the lightweight CAs (and the main CA) share a single serial number domain. So the OCSP responder uses the serial number to find the correct issuer with which to sign the OCSP response.
Cheers, Fraser
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org