Hey folks,
Would it be possible to get FreeIPA to sign an arbitrary, non IPA managed CA? Background: Before FreeIPA we enrolled our own CA for internal services and imported the CA into the browsers, which worked like a charm. Now with FreeIPA we would have to import two CAs into the browsers and would like to have the external CA as an intermediate.
It's okay to roll out a new CA & certificates.
I also tried to add a 2nd CA via the web-Gui, which worked. But I could not figure out how to get that private key.
So in short: The way doesn't matter. In the end I would like to have an intermediate CA, signed by FreeIPA main CA which a 10+ year validity that I can externally use.
Any approach to that?
Thanks, Chris.
Christian Reiss via FreeIPA-users wrote:
Hey folks,
Would it be possible to get FreeIPA to sign an arbitrary, non IPA managed CA? Background: Before FreeIPA we enrolled our own CA for internal services and imported the CA into the browsers, which worked like a charm. Now with FreeIPA we would have to import two CAs into the browsers and would like to have the external CA as an intermediate.
The alternative is to re-sign the IPA CA with your existing CA.
The IPA CA can't manually sign another CA. It can issue its own sub-cas.
rob
It's okay to roll out a new CA & certificates.
I also tried to add a 2nd CA via the web-Gui, which worked. But I could not figure out how to get that private key.
So in short: The way doesn't matter. In the end I would like to have an intermediate CA, signed by FreeIPA main CA which a 10+ year validity that I can externally use.
Any approach to that?
Thanks, Chris.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Mon, Jul 29, 2019 at 03:17:22PM -0400, Rob Crittenden via FreeIPA-users wrote:
Christian Reiss via FreeIPA-users wrote:
Hey folks,
Would it be possible to get FreeIPA to sign an arbitrary, non IPA managed CA? Background: Before FreeIPA we enrolled our own CA for internal services and imported the CA into the browsers, which worked like a charm. Now with FreeIPA we would have to import two CAs into the browsers and would like to have the external CA as an intermediate.
The alternative is to re-sign the IPA CA with your existing CA.
The IPA CA can't manually sign another CA. It can issue its own sub-cas.
Sure it can. But there are some restrictions on the Subject DN, which the existing CA to be cross-signed may or may not satisfy.
Info here: https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
Cheers, Fraser
rob
It's okay to roll out a new CA & certificates.
I also tried to add a 2nd CA via the web-Gui, which worked. But I could not figure out how to get that private key.
So in short: The way doesn't matter. In the end I would like to have an intermediate CA, signed by FreeIPA main CA which a 10+ year validity that I can externally use.
Any approach to that?
Thanks, Chris.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org