Christopher Lord via FreeIPA-users wrote:
Hi All,
We are doing a PoC of FreeIPA using a Sub CA issued by ms-ca as the CA
for FreeIPA. One of the test cases laid out by our security team is that
we need to be able to issue Sub CA certs for each FreeIPA replica so
that we are able to revoke one of the Sub CAs and still have a
functioning FreeIPA stack. However I haven't been able to find a way to
have an issued Sub CA cert per replica server, or how to have a FreeIPA
replica register that its Sub CA cert has been revoked.
Is it possible to do these? If so, could I please be pointed to the
appropriate doco?
I think there is a misunderstanding of what an IPA master is, and what a
"replica" is. The only thing that distinguishes one master from another
is the order of installation (the first is assigned the role of renewal
master and CRL generator) and the optional services on it (CA, KRA, DNS,
AD). They are otherwise all exactly identical.
A unique SubCA isn't (and can't be) generated for each new master created.
rob
Cheers,
Chris
Christopher Lord
*Systems Engineer*
<http://>
*T* +61 2 9994 8587
*E* christopher.lord(a)mnfgroup.limited
*mnfgroup.limited <
https://mnfgroup.limited>*
<http://>
This communication is intended only for the person to whom it is
addressed and may contain confidential material. If you received this
communication in error, please inform the sender immediately and delete
all copies. Please think of the environment before printing this email.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...