On 18/07/2019 00:49, Fraser Tweedale wrote:
On Wed, Jul 17, 2019 at 12:46:15PM +0100, lejeczek via FreeIPA-users
wrote:
>>> Hi,
>>> please have a look at [1] Changing the Certificate chain:
>>> ----8<----
>>> Self-signed CA certificate → externally-signed CA certificate
>>> Add the --external-ca option to ipa-cacert-manage renew. This renews the
>>> self-signed CA certificate as an externally-signed CA certificate.
>>> For details on running the command with this option, see Section 26.2.2,
>>> “Renewing CA Certificates Manually”.
>>> ---->8----
>>>
>>> you need to specify --external-ca --external-ca-type ms-cs
>>> --external-ca-profile MySubCA
>>>
>> But replace "MySubCA" with the appropriate template name. Or leave
>> it out if the default template name ("SubCA") is correct. You can
>> also specify template by OID. Read `man 1 ipa-cacert-manage` for
>> full details.
>>
>> Cheers,
>> Fraser
> AD's end - is "Appendix B: creating a custom sub-CA certificate
> template" a must-have or optional, and can be skipped over to "Appendix
> C: issuing a certificate"
>
> I imagine quite a few of us, those who do not have control over AD
> domain and need to rely on those who have, must think that question.
>
It is not essential to use a custom sub-CA template for the IPA CA.
The default ("SubCA") works just fine (subject to policy).
I confess I skipped it and just went straight to "submit request" and
then back to IPA, which worked okey (sorry, UTF8 (win 2016) was the bit
needed, without it "renew" failed)
How can one check, look for confirmation (apart from executed commands
being successful), for peace of mind & curiosity, that AD is in IPA's
cert chain?
> many thanks, L.
>
> ps. templetes/profiles - is there more one could read to understand what
> is SubCA, what is IPA's default profile, etc.?
>
"Template" in AD and "profile" in IPA are the same concept: defining
how to build the certificate to be issued, and constraints.
The AD "SubCA" template issues a CA certificate (Basic Constraints
extension with CA: TRUE) signed by the AD CA. Common reasons to
define a custom sub-CA template are to specify the pathLenConstraint
(i.e. can the subject issue further sub-CAs?), or the Name
Constraints extension (what namespaces can the subject issue
certificates for?).
I don't know for sure if AD has a default template; I have only ever
seen the template explicitly specified in the CSR but maybe there
are other ways.
In IPA the default profile is "caIPAserviceCert" which is suitable
for TLS services.
Cheers,
Fraser
Is changing the chain (apart from the risk attached to doing something,
anything, and that something can go wrong) healthy? (security) eg.
Having AD CA as root then changing to another AD, then maybe back to
IPA's own.
many thanks, L.