Hi, all
I'm not sure the following is feasible, but IHAC who may want to use
IPA in an air-gapped network while relying on smart card authentication
using certificates from a very large, external CA. Can anyone give me
an idea of whether the following scenario is feasible, and if so,
supportable?
External certificate authority E issues user certificates and
provisions smart card tokens. (It runs RHCS, if that matters.) Inside
the isolated network, users are separately maintained in IPA domain P.
When each user is created in P, a certificate issued by E is added to
the user's entry. That certificate is used for pkinit and ssl/tls
client authentication to services in P.
So far, my understanding is that this should be feasible provided that
E is added as a trusted authority in various places, but I'm a little
fuzzy on the pkinit piece. Where it gets really problematic is dealing
with CRLs.
Because P and its relying parties are isolated, they can't use OCSP to
check current validity of a certificate. To avoid the hassles of
distributing CRLs to all relying systems and services manually, would
it be possible to add those CRLs to the set served by the OCSP
responder in P? Obviously the responses would be signed by P rather
than E, but if P has verified the CRL on which they were based it seems
at least potentially viable.
As currently envisioned, E would be completely unaware of the existence
of P, but P would trust certificates issued by E. If that isn't
feasible, would it make any difference if P's CA were subordinate to E?
Thanks in advance for any guidance you can offer.
-Andrew
Show replies by date