Hi, I'm new to FreeIPA and I have a conceptual question.
I have an existing PKI-Infrastructure with one root CA and three derived Sub-CAs. Now I want to change the PKI-Management to FreeIPA without replacing the already existing Sub-CAs.
My first question is: Is it possible to have more then one external CAs (by the installation with "external-ca") in FreeIPA? The goal is to import the three existing external Sub-CAs with their keys in FreeIPA. I have found various sources from around 2015 that such a feature will be implemented later but I didn't found any information if it is implemented yet - or not. Furthermore I don't want to import the root CA with its key into FreeIPA. As far I understood this would be a security benefit if the ipa server would be compromised. If that idea is wrong, I would be happy to get some advice on this.
Thanks Alexander
On 3/11/20 5:01 PM, Alexander Petrenz via FreeIPA-users wrote:
Hi, I'm new to FreeIPA and I have a conceptual question.
I have an existing PKI-Infrastructure with one root CA and three derived Sub-CAs. Now I want to change the PKI-Management to FreeIPA without replacing the already existing Sub-CAs.
My first question is: Is it possible to have more then one external CAs (by the installation with "external-ca") in FreeIPA? The goal is to import the three existing external Sub-CAs with their keys in FreeIPA. I have found various sources from around 2015 that such a feature will be implemented later but I didn't found any information if it is implemented yet - or not. Furthermore I don't want to import the root CA with its key into FreeIPA. As far I understood this would be a security benefit if the ipa server would be compromised. If that idea is wrong, I would be happy to get some advice on this.
Hi, when the command ipa-server-install --exernal-ca is used, it means that IPA will also host a CA service with its own cert, but that cert is signed by a single external CA. So no, it's not possible to have multiple external CA signing IPA CA. The chain is External CA > IPA CA.
On the other hand, you may want to install other external CA certs in IPA using ipa-cacert-manage install / ipa-certupdate. With this command the CA certs are appended to the trusted CAs and the clients will also download and install them in their trust stores.
In all the cases, the external CA and subCA keys won't be imported into IPA, only the public certificates.
Hope this clarifies, flo
Thanks Alexander _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks for your reply. To geht this right: Your said, by using an external ca or importing additional external CAs to FreeIPA keys won't be imported to FreeIPA. So that means when using such a setup FreeIPA is not intended to issue own certificates to clients?
Alexander Petrenz via FreeIPA-users wrote:
Thanks for your reply. To geht this right: Your said, by using an external ca or importing additional external CAs to FreeIPA keys won't be imported to FreeIPA. So that means when using such a setup FreeIPA is not intended to issue own certificates to clients?
I can't quite parse your question.
Think of IPA as its own sub-CA. You'd sign it using your existing CA (or one of the sub-CA's).
There is no way to import your sub-CA private keys into IPA to be used for signing.
IPA can issue certs for services, hosts and users.
rob
That's exactly what I meant. Thanks for the clarification! Alex
I continued setting this up. From the externally signed ipa root CA I was trying to create a nested structure of additional CAs. However this doesn't seem to be supported. Is that correct? Here is similar of what I tried:
Root (externally signed) | - external CA | - servers CA | - clients CA | - internal CA | - internal servers CA | - internal clients CA
I guess I only could do this without the intermediate external and internal CA.
Regards Alex
I continued setting this up. From the externally signed ipa root CA I was trying to create a nested structure of additional CAs. However this doesn't seem to be supported. Is that correct? Here is similar of what I tried:
Root (externally signed) | - external CA | - servers CA | - clients CA | - internal CA | - internal servers CA | - internal clients CA
I guess I only could do this without the intermediate external and internal CA.
Regards Alex
It ate the formatting, sorry; However I hope it clear that I tried to sketch some nested hierarchy.
Regards Alexander
On 3/20/20 12:32 PM, Alex P via FreeIPA-users wrote:
I continued setting this up. From the externally signed ipa root CA I was trying to create a nested structure of additional CAs. However this doesn't seem to be supported. Is that correct? Here is similar of what I tried:
Root (externally signed) | - external CA | - servers CA | - clients CA | - internal CA | - internal servers CA | - internal clients CA
I guess I only could do this without the intermediate external and internal CA.
Hi,
IPA has the ability to define lighweight sub-CAs, but the sub-CAs can only be direct subordinates of IPA CA. So you can have: IPA CA (externally signed) |- subCA1 |- subCA2 |- ...
For more information please refer to Lightweight Sub-CAs [1] and Fraser's blog post [2], especially the "limitations" section: -----8<----- there is no support for “nesting” CAs ----->8-----
Hope this clarifies, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
[2] https://frasertweedale.github.io/blog-redhat/posts/2016-07-25-freeipa-subcas...
Regards Alex
It ate the formatting, sorry; However I hope it clear that I tried to sketch some nested hierarchy.
Regards Alexander _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Sorry I guess I got confused on this. There would be still the key of the FreeIPA internal CA Certificate which was signed by the external CA and this can be used for issuing certificates. However as far as I understood, there can only be one externally signed CA certificate - the one handled during the installation via --external-ca. Correct?
freeipa-users@lists.fedorahosted.org