Attempting to reply to the proper thread instead of to Rob privately.
Please forgive my inexperience with mailing lists.
Thanks Rob,
I thought that was probably the case. Is it at all possible to revoke
the Sub CA certificate and have FreeIPA aware that its cert has been
revoked? Or would it just be a case of revoking the cert, and then
following the manual renewal process to replace the cert?
Chris
On Tue, 2020-02-11 at 19:04 -0500, Rob Crittenden wrote:
Christopher Lord via FreeIPA-users wrote:
> Hi All,
>
> We are doing a PoC of FreeIPA using a Sub CA issued by ms-ca as the
> CA
> for FreeIPA. One of the test cases laid out by our security team is
> that
> we need to be able to issue Sub CA certs for each FreeIPA replica
> so
> that we are able to revoke one of the Sub CAs and still have a
> functioning FreeIPA stack. However I haven't been able to find a
> way to
> have an issued Sub CA cert per replica server, or how to have a
> FreeIPA
> replica register that its Sub CA cert has been revoked.
>
> Is it possible to do these? If so, could I please be pointed to the
> appropriate doco?
I think there is a misunderstanding of what an IPA master is, and
what a
"replica" is. The only thing that distinguishes one master from
another
is the order of installation (the first is assigned the role of
renewal
master and CRL generator) and the optional services on it (CA, KRA,
DNS,
AD). They are otherwise all exactly identical.
A unique SubCA isn't (and can't be) generated for each new master
created.
rob
> Cheers,
>
> Chris
>
>
> Christopher Lord
>
>
>
> *Systems Engineer*
>
> <http://>
>
> *T* +61 2 9994 8587
> *E* christopher.lord(a)mnfgroup.limited
>
> *mnfgroup.limited <
https://mnfgroup.limited>*
>
> <http://>
>
> This communication is intended only for the person to whom it is
> addressed and may contain confidential material. If you received
> this
> communication in error, please inform the sender immediately and
> delete
> all copies. Please think of the environment before printing this
> email.
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>