On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users wrote:
We had a developer team deploy their own CA and then issue a slew
of certificates for users' workstations and other servers, and now
they want us to deploy those certificates more widely. I'd rather
find a way to bring their CA under ours so that the root CA
certificate we already distribute will make theirs "just work"
rather than having to distribute another set of root CA
certificates.
Is this possible, or would they have to start over and build a
subordinate CA from the ground up to make it work? If it's perhaps
possible, under what circumstances?
Hi Bret,
It is possible, but there are restrictions about what the sub-CAs
subject DN can be. Have a read of this blog post:
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
If your developer team's CA certificate does not fit those
requirements, please share the details of the certificate
(especially Subject DN) and I'll see if I can find a workaround.
Cheers,
Fraser
Thanks!
Bret
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure