4:01 p.m.
Hi,
I'm new to FreeIPA and I have a conceptual question.
I have an existing PKI-Infrastructure with one root CA and three derived Sub-CAs.
Now I want to change the PKI-Management to FreeIPA without replacing the already existing
Sub-CAs.
My first question is: Is it possible to have more then one external CAs (by the
installation with "external-ca") in FreeIPA? The goal is to import the three
existing external Sub-CAs with their keys in FreeIPA. I have found various sources from
around 2015 that such a feature will be implemented later but I didn't found any
information if it is implemented yet - or not.
Furthermore I don't want to import the root CA with its key into FreeIPA. As far I
understood this would be a security benefit if the ipa server would be compromised. If
that idea is wrong, I would be happy to get some advice on this.
Thanks
Alexander
6:02 p.m.
New subject: Managing different Sub CAs in FreeIPA without their shared Root CA
On 3/11/20 5:01 PM, Alexander Petrenz via FreeIPA-users wrote:
Hi,
I'm new to FreeIPA and I have a conceptual question.
I have an existing PKI-Infrastructure with one root CA and three derived Sub-CAs.
Now I want to change the PKI-Management to FreeIPA without replacing the already existing
Sub-CAs.
My first question is: Is it possible to have more then one external CAs (by the
installation with "external-ca") in FreeIPA? The goal is to import the three
existing external Sub-CAs with their keys in FreeIPA. I have found various sources from
around 2015 that such a feature will be implemented later but I didn't found any
information if it is implemented yet - or not.
Furthermore I don't want to import the root CA with its key into FreeIPA. As far I
understood this would be a security benefit if the ipa server would be compromised. If
that idea is wrong, I would be happy to get some advice on this.
Hi,
when the command ipa-server-install --exernal-ca is used, it means that
IPA will also host a CA service with its own cert, but that cert is
signed by a single external CA. So no, it's not possible to have
multiple external CA signing IPA CA. The chain is External CA > IPA CA.
On the other hand, you may want to install other external CA certs in
IPA using ipa-cacert-manage install / ipa-certupdate. With this command
the CA certs are appended to the trusted CAs and the clients will also
download and install them in their trust stores.
In all the cases, the external CA and subCA keys won't be imported into
IPA, only the public certificates.
Hope this clarifies,
flo
Thanks
Alexander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
10:35 a.m.
New subject: Managing different Sub CAs in FreeIPA without their shared Root CA
Thanks for your reply. To geht this right: Your said, by using an external ca or importing
additional external CAs to FreeIPA keys won't be imported to FreeIPA. So that means
when using such a setup FreeIPA is not intended to issue own certificates to clients?
2:01 p.m.
New subject: Managing different Sub CAs in FreeIPA without their shared Root CA
Alexander Petrenz via FreeIPA-users wrote:
Thanks for your reply. To geht this right: Your said, by using an
external ca or importing additional external CAs to FreeIPA keys won't be imported to
FreeIPA. So that means when using such a setup FreeIPA is not intended to issue own
certificates to clients?
I can't quite parse your question.
Think of IPA as its own sub-CA. You'd sign it using your existing CA (or
one of the sub-CA's).
There is no way to import your sub-CA private keys into IPA to be used
for signing.
IPA can issue certs for services, hosts and users.
rob
7:05 a.m.
New subject: Managing different Sub CAs in FreeIPA without their shared Root CA
That's exactly what I meant. Thanks for the clarification!
Alex
11:27 a.m.
New subject: Managing different Sub CAs in FreeIPA without their shared Root CA
I continued setting this up. From the externally signed ipa root CA I was trying to create
a nested structure of additional CAs. However this doesn't seem to be supported. Is
that correct? Here is similar of what I tried:
Root (externally signed)
| - external CA
| - servers CA
| - clients CA
| - internal CA
| - internal servers CA
| - internal clients CA
I guess I only could do this without the intermediate external and internal CA.
Regards
Alex
11:32 a.m.
New subject: Managing different Sub CAs in FreeIPA without their shared Root CA
I continued setting this up. From the externally signed ipa root CA I
was trying to create
a nested structure of additional CAs. However this doesn't seem to be supported. Is
that correct? Here is similar of what I tried:
Root (externally signed)
| - external CA
| - servers CA
| - clients CA
| - internal CA
| - internal servers CA
| - internal clients CA
I guess I only could do this without the intermediate external and internal CA.
Regards
Alex
It ate the formatting, sorry; However I hope it clear that I tried to sketch
some nested hierarchy.
Regards
Alexander
9:19 a.m.
New subject: Managing different Sub CAs in FreeIPA without their shared Root CA
On 3/20/20 12:32 PM, Alex P via FreeIPA-users wrote:
> I continued setting this up. From the externally signed ipa root
CA I was trying to create
> a nested structure of additional CAs. However this doesn't seem to be supported.
Is
> that correct? Here is similar of what I tried:
>
> Root (externally signed)
> | - external CA
> | - servers CA
> | - clients CA
> | - internal CA
> | - internal servers CA
> | - internal clients CA
>
> I guess I only could do this without the intermediate external and internal CA.
>
Hi,
IPA has the ability to define lighweight sub-CAs, but the sub-CAs can
only be direct subordinates of IPA CA. So you can have:
IPA CA (externally signed)
|- subCA1
|- subCA2
|- ...
For more information please refer to Lightweight Sub-CAs [1] and
Fraser's blog post [2], especially the "limitations" section:
-----8<-----
there is no support for “nesting” CAs
----->8-----
Hope this clarifies,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[2]
https://frasertweedale.github.io/blog-redhat/posts/2016-07-25-freeipa-sub...
> Regards
> Alex
It ate the formatting, sorry; However I hope it clear that I tried to sketch some nested
hierarchy.
Regards
Alexander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
10:40 a.m.
New subject: Managing different Sub CAs in FreeIPA without their shared Root CA
Sorry I guess I got confused on this. There would be still the key of the FreeIPA internal
CA Certificate which was signed by the external CA and this can be used for issuing
certificates. However as far as I understood, there can only be one externally signed CA
certificate - the one handled during the installation via --external-ca. Correct?
1500
days inactive
1512
days old
freeipa-users@lists.fedorahosted.org
8 comments
4 participants
participants (4)
-
Alex P -
Alexander Petrenz -
Florence Blanc-Renaud -
Rob Crittenden