On Wed, Jul 17, 2019 at 12:46:15PM +0100, lejeczek via FreeIPA-users wrote:
>> Hi,
>> please have a look at [1] Changing the Certificate chain:
>> ----8<----
>> Self-signed CA certificate → externally-signed CA certificate
>> Add the --external-ca option to ipa-cacert-manage renew. This renews the
>> self-signed CA certificate as an externally-signed CA certificate.
>> For details on running the command with this option, see Section 26.2.2,
>> “Renewing CA Certificates Manually”.
>> ---->8----
>>
>> you need to specify --external-ca --external-ca-type ms-cs
>> --external-ca-profile MySubCA
>>
> But replace "MySubCA" with the appropriate template name. Or leave
> it out if the default template name ("SubCA") is correct. You can
> also specify template by OID. Read `man 1 ipa-cacert-manage` for
> full details.
>
> Cheers,
> Fraser
AD's end - is "Appendix B: creating a custom sub-CA certificate
template" a must-have or optional, and can be skipped over to "Appendix
C: issuing a certificate"
I imagine quite a few of us, those who do not have control over AD
domain and need to rely on those who have, must think that question.
It is not essential to use a custom sub-CA template for the IPA CA.
The default ("SubCA") works just fine (subject to policy).
many thanks, L.
ps. templetes/profiles - is there more one could read to understand what
is SubCA, what is IPA's default profile, etc.?
"Template" in AD and "profile" in IPA are the same concept:
defining
how to build the certificate to be issued, and constraints.
The AD "SubCA" template issues a CA certificate (Basic Constraints
extension with CA: TRUE) signed by the AD CA. Common reasons to
define a custom sub-CA template are to specify the pathLenConstraint
(i.e. can the subject issue further sub-CAs?), or the Name
Constraints extension (what namespaces can the subject issue
certificates for?).
I don't know for sure if AD has a default template; I have only ever
seen the template explicitly specified in the CSR but maybe there
are other ways.
In IPA the default profile is "caIPAserviceCert" which is suitable
for TLS services.
Cheers,
Fraser