hi,

We need to deploy an Idm environment in a firewalled network with different layers (untrusted/semi-trusted/trusted).

In the untrusted network there will be no Idm servers. In the trusted, we will have replicas with the base services (ldap/kerberos/dns).  Hosts in the untrusted zone will talk to these replicas.

In the trusted zone we will have replicas with the CA functionality as well, and obviously the idm servers will communicate between the semi-trusted and trusted zone.

According to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#replica-considerations

"If you set up a replica without a CA, it will forward all requests for certificate operations to the CA server in your topology."

The question is: will certmonger on hosts in the untrusted zone be able to request and renew certificates and have the requests proxied to the trusted zone servers with the CA service? I know mod_rewrite can do this using the [P] flag (https://httpd.apache.org/docs/2.4/rewrite/proxy.html), but is this something we can use for our goal?

Thanks!