On 3/20/20 12:32 PM, Alex P via FreeIPA-users wrote:
> I continued setting this up. From the externally signed ipa root
CA I was trying to create
> a nested structure of additional CAs. However this doesn't seem to be supported.
Is
> that correct? Here is similar of what I tried:
>
> Root (externally signed)
> | - external CA
> | - servers CA
> | - clients CA
> | - internal CA
> | - internal servers CA
> | - internal clients CA
>
> I guess I only could do this without the intermediate external and internal CA.
>
Hi,
IPA has the ability to define lighweight sub-CAs, but the sub-CAs can
only be direct subordinates of IPA CA. So you can have:
IPA CA (externally signed)
|- subCA1
|- subCA2
|- ...
For more information please refer to Lightweight Sub-CAs [1] and
Fraser's blog post [2], especially the "limitations" section:
-----8<-----
there is no support for “nesting” CAs
----->8-----
Hope this clarifies,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[2]
https://frasertweedale.github.io/blog-redhat/posts/2016-07-25-freeipa-sub...
> Regards
> Alex
It ate the formatting, sorry; However I hope it clear that I tried to sketch some nested
hierarchy.
Regards
Alexander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...