[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

-- Bret Wortman bret.wortman@damascusgrp.com On Tue, Feb 16, 2021, at 7:40 AM, Bret Wortman wrote: > Just to be clear, I'm going to follow the steps, but instead of setting > up sub.ipa.local, I'm going to instead use simply "damascusgrp.com", > yielding a principal named host/damascusgrp.com@DAMASCUSGRP.COM, right? > And then proceed through the rest of the steps. > > > -- > Bret Wortman > bret.wortman@damascusgrp.com > > On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote: > > Okay, I'll give it a try. Thanks! > > > > > > -- > > Bret Wortman > > bret.wortman@damascusgrp.com > > > > On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote: > > > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote: > > > > Fraser, > > > > > > > > It doesn't look like we fit the model. Our IPA CA's cert is as > > > > expected, but the other one is: > > > > > > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer= > > > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG > > > > Web Team Root CA > > > > > > > > Since I don't see a hostname in there anywhere (and in fact, > > > > further conversations with this team turned up the fact that > > > > they're just creating these by hand using openssl commands rather > > > > than running any sort of service at all), I'm hesitant to just > > > > barge ahead and try to make it work on my own... > > > > > > The CN (damascusgrp.com) is a domain name. You can add a host > > > object with that name to FreeIPA. I think the procedure outlined in > > > the blog post should work for you. > > > > > > Cheers, > > > Fraser > > > > > > > > > > > -- > > > > Bret Wortman > > > > bret.wortman@damascusgrp.com > > > > > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > > > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users wrote: > > > > > > We had a developer team deploy their own CA and then issue a slew > > > > > > of certificates for users' workstations and other servers, and now > > > > > > they want us to deploy those certificates more widely. I'd rather > > > > > > find a way to bring their CA under ours so that the root CA > > > > > > certificate we already distribute will make theirs "just work" > > > > > > rather than having to distribute another set of root CA > > > > > > certificates. > > > > > > > > > > > > Is this possible, or would they have to start over and build a > > > > > > subordinate CA from the ground up to make it work? If it's perhaps > > > > > > possible, under what circumstances? > > > > > > > > > > > Hi Bret, > > > > > > > > > > It is possible, but there are restrictions about what the sub-CAs > > > > > subject DN can be. Have a read of this blog post: > > > > > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat... > > > > > > > > > > If your developer team's CA certificate does not fit those > > > > > requirements, please share the details of the certificate > > > > > (especially Subject DN) and I'll see if I can find a workaround. > > > > > > > > > > Cheers, > > > > > Fraser > > > > > > > > > > > > > > > > > Thanks! > > > > > > > > > > > > Bret > > > > > > _______________________________________________ > > > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > > > > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > > > > > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... > > > > > > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > > > > > > > > > > > > > > > > > > > >