On Tue, Apr 09, 2019 at 12:17:17PM -0000, Ralph Crongeyer via FreeIPA-users wrote:
Hi Fraser,
Sure thing. I was just pointing out that for testing we used the keys generated on the FW
for testing. Now we would like to use FreeIPA as the CA for the FW's.
So I am trying to figure out how best to go about this using FreeIPA.
What I am trying to do is to create a sub CA cert and it's signing key on FreeIPA and
then export those from FreeIPA for use on the FW's.
Hope that makes more sense.
Why does the firewall need a CA signing certificate? Are you going
to be MITMing your users' TLS?
Anyhow, you should generate the keys and CSR on the system that will
be the sub-CA. Then follow the procedure outlined in my blog post
for creating a sub-CA profile and issuing sub-CA certificate:
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
If you only need service certificates for the firewall, just create
the keys and CSRs on the firewall machine, and submit them as you
would any other service certificate.
HTH,
Fraser