Natxo Asenjo via FreeIPA-users wrote:
hi,
We need to deploy an Idm environment in a firewalled network with
different layers (untrusted/semi-trusted/trusted).
In the untrusted network there will be no Idm servers. In the trusted,
we will have replicas with the base services (ldap/kerberos/dns). Hosts
in the untrusted zone will talk to these replicas.
In the trusted zone we will have replicas with the CA functionality as
well, and obviously the idm servers will communicate between the
semi-trusted and trusted zone.
According to:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
"If you set up a replica without a CA, it will forward all requests for
certificate operations to the CA server in your topology."
The question is: will certmonger on hosts in the untrusted zone be able
to request and renew certificates and have the requests proxied to the
trusted zone servers with the CA service? I know mod_rewrite can do this
using the [P] flag
(
https://httpd.apache.org/docs/2.4/rewrite/proxy.html), but is this
something we can use for our goal?
It depends on the certmonger "ca" used to request the cert on those hosts.
If the request uses the "IPA" CA then certmonger will use the IPA API to
make cert requests. As long as it can contact an IPA master then the
request will be handled properly. e.g. if you used ipa-getcert to obtain
the cert. This is shorthand for getcert -c IPA ...
If you used another CA, like the one used to renew the CA certificates
(dogtag-*) then yes, it would need to talk directly to the CA.
I'm guessing it is the former as that is the typical use case.
rob