[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

-- Bret Wortman bret.wortman@damascusgrp.com On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users wrote: > > We had a developer team deploy their own CA and then issue a slew > > of certificates for users' workstations and other servers, and now > > they want us to deploy those certificates more widely. I'd rather > > find a way to bring their CA under ours so that the root CA > > certificate we already distribute will make theirs "just work" > > rather than having to distribute another set of root CA > > certificates. > > > > Is this possible, or would they have to start over and build a > > subordinate CA from the ground up to make it work? If it's perhaps > > possible, under what circumstances? > > > Hi Bret, > > It is possible, but there are restrictions about what the sub-CAs > subject DN can be. Have a read of this blog post: > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat... > > If your developer team's CA certificate does not fit those > requirements, please share the details of the certificate > (especially Subject DN) and I'll see if I can find a workaround. > > Cheers, > Fraser > > > > > Thanks! > > > > Bret > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... > > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > >