On 3/11/20 5:01 PM, Alexander Petrenz via FreeIPA-users wrote:
Hi,
I'm new to FreeIPA and I have a conceptual question.
I have an existing PKI-Infrastructure with one root CA and three derived Sub-CAs.
Now I want to change the PKI-Management to FreeIPA without replacing the already existing
Sub-CAs.
My first question is: Is it possible to have more then one external CAs (by the
installation with "external-ca") in FreeIPA? The goal is to import the three
existing external Sub-CAs with their keys in FreeIPA. I have found various sources from
around 2015 that such a feature will be implemented later but I didn't found any
information if it is implemented yet - or not.
Furthermore I don't want to import the root CA with its key into FreeIPA. As far I
understood this would be a security benefit if the ipa server would be compromised. If
that idea is wrong, I would be happy to get some advice on this.
Hi,
when the command ipa-server-install --exernal-ca is used, it means that
IPA will also host a CA service with its own cert, but that cert is
signed by a single external CA. So no, it's not possible to have
multiple external CA signing IPA CA. The chain is External CA > IPA CA.
On the other hand, you may want to install other external CA certs in
IPA using ipa-cacert-manage install / ipa-certupdate. With this command
the CA certs are appended to the trusted CAs and the clients will also
download and install them in their trust stores.
In all the cases, the external CA and subCA keys won't be imported into
IPA, only the public certificates.
Hope this clarifies,
flo
Thanks
Alexander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...