On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
Fraser,
It doesn't look like we fit the model. Our IPA CA's cert is as
expected, but the other one is:
$ openssl x509 -noout -in web-ca.crt -issuer issuer=
/C=US/ST=VA/L=Fairfax/O=DG Web
Team/OU=DG/CN=damascusgrp.com DG
Web Team Root CA
Since I don't see a hostname in there anywhere (and in fact,
further conversations with this team turned up the fact that
they're just creating these by hand using openssl commands rather
than running any sort of service at all), I'm hesitant to just
barge ahead and try to make it work on my own...
The CN (
damascusgrp.com) is a domain name. You can add a host
object with that name to FreeIPA. I think the procedure outlined in
the blog post should work for you.
Cheers,
Fraser
--
Bret Wortman
bret.wortman(a)damascusgrp.com
On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users wrote:
> > We had a developer team deploy their own CA and then issue a slew
> > of certificates for users' workstations and other servers, and now
> > they want us to deploy those certificates more widely. I'd rather
> > find a way to bring their CA under ours so that the root CA
> > certificate we already distribute will make theirs "just work"
> > rather than having to distribute another set of root CA
> > certificates.
> >
> > Is this possible, or would they have to start over and build a
> > subordinate CA from the ground up to make it work? If it's perhaps
> > possible, under what circumstances?
> >
> Hi Bret,
>
> It is possible, but there are restrictions about what the sub-CAs
> subject DN can be. Have a read of this blog post:
>
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
>
> If your developer team's CA certificate does not fit those
> requirements, please share the details of the certificate
> (especially Subject DN) and I'll see if I can find a workaround.
>
> Cheers,
> Fraser
>
> >
> > Thanks!
> >
> > Bret
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
>