2 Sep
2019
2 Sep
'19
2:08 p.m.
On Mon, 02 Sep 2019, Dmitry Perets via FreeIPA-users wrote:
Certificates are issued from IPA CA with the OCSP responder URI http://ipa-ca.$DOMAIN/ca/ocsp and CRL distribution point http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin (these are set in the certificate extensions).
flo
Thanks! Does it have to be an IPA server with CA? What if it doesn't have CA component - will it forward the request to one of the IPA servers with CA?
It has to be CA component server. That's why we have ipa-ca -- it is an entry that is managed to have only IP addresses of CA servers. Technically, something else could front it but there are other issues with this approach.
In past we tried to use CNAME to point to CA master but it didn't work for HTTP end-points.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland