On Mon, Jul 29, 2019 at 03:17:22PM -0400, Rob Crittenden via FreeIPA-users wrote:
Christian Reiss via FreeIPA-users wrote:
> Hey folks,
>
> Would it be possible to get FreeIPA to sign an arbitrary, non IPA
> managed CA? Background: Before FreeIPA we enrolled our own CA for
> internal services and imported the CA into the browsers, which worked
> like a charm. Now with FreeIPA we would have to import two CAs into the
> browsers and would like to have the external CA as an intermediate.
The alternative is to re-sign the IPA CA with your existing CA.
The IPA CA can't manually sign another CA. It can issue its own sub-cas.
Sure it can. But there are some restrictions on the Subject DN,
which the existing CA to be cross-signed may or may not satisfy.
Info here:
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
Cheers,
Fraser
> rob
>
> > It's okay to roll out a new CA & certificates.
> >
> >
> > I also tried to add a 2nd CA via the web-Gui, which worked. But I could
> > not figure out how to get that private key.
> >
> > So in short: The way doesn't matter. In the end I would like to have an
> > intermediate CA, signed by FreeIPA main CA which a 10+ year validity
> > that I can externally use.
> >
> > Any approach to that?
> >
> > Thanks,
> > Chris.
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...