On Thu, Jan 31, 2019 at 10:30:36PM +0200, Alexander Bokovoy via FreeIPA-users wrote:
On to, 31 tammi 2019, Natxo Asenjo via FreeIPA-users wrote:
> hi,
>
> at work I am testing using a light sub-ca with openvpn to limit the scope
> of hosts that can auto request a certificate.
>
> So far so good, really impressed with how well it works.
>
> The question I cannot answer is: are there specific urls for crl/ocsp for
> sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well?
There is no CRL support for subCAs. OCSP should work just fine.
See
https://bugzilla.redhat.com/show_bug.cgi?id=1478394 for details.
To expand on Alexander's reply, the OCSP URL is indeed the same.
This works because all the lightweight CAs (and the main CA) share a
single serial number domain. So the OCSP responder uses the serial
number to find the correct issuer with which to sign the OCSP
response.
Cheers,
Fraser
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...