Christian Reiss via FreeIPA-users wrote:
Hey folks,
Would it be possible to get FreeIPA to sign an arbitrary, non IPA
managed CA? Background: Before FreeIPA we enrolled our own CA for
internal services and imported the CA into the browsers, which worked
like a charm. Now with FreeIPA we would have to import two CAs into the
browsers and would like to have the external CA as an intermediate.
The alternative is to re-sign the IPA CA with your existing CA.
The IPA CA can't manually sign another CA. It can issue its own sub-cas.
rob
It's okay to roll out a new CA & certificates.
I also tried to add a 2nd CA via the web-Gui, which worked. But I could
not figure out how to get that private key.
So in short: The way doesn't matter. In the end I would like to have an
intermediate CA, signed by FreeIPA main CA which a 10+ year validity
that I can externally use.
Any approach to that?
Thanks,
Chris.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...