Hi, all
I'm not sure the following is feasible, but IHAC who may want to use IPA in an air-gapped network while relying on smart card authentication using certificates from a very large, external CA. Can anyone give me an idea of whether the following scenario is feasible, and if so, supportable?
External certificate authority E issues user certificates and provisions smart card tokens. (It runs RHCS, if that matters.) Inside the isolated network, users are separately maintained in IPA domain P. When each user is created in P, a certificate issued by E is added to the user's entry. That certificate is used for pkinit and ssl/tls client authentication to services in P.
So far, my understanding is that this should be feasible provided that E is added as a trusted authority in various places, but I'm a little fuzzy on the pkinit piece. Where it gets really problematic is dealing with CRLs.
Because P and its relying parties are isolated, they can't use OCSP to check current validity of a certificate. To avoid the hassles of distributing CRLs to all relying systems and services manually, would it be possible to add those CRLs to the set served by the OCSP responder in P? Obviously the responses would be signed by P rather than E, but if P has verified the CRL on which they were based it seems at least potentially viable.
As currently envisioned, E would be completely unaware of the existence of P, but P would trust certificates issued by E. If that isn't feasible, would it make any difference if P's CA were subordinate to E?
Thanks in advance for any guidance you can offer.
-Andrew
freeipa-users@lists.fedorahosted.org