On 7.6.2013 14:26, Martin Kosek wrote:
On 06/07/2013 02:04 PM, Dmitri Pal wrote:
On 06/07/2013 03:47 AM, freeipa wrote:
#3668: CA-less install fails when intermediate CA is used
-------------------------------------+-------------------------------------
                Reporter:  jcholast   |             Owner:  jcholast
                    Type:  defect     |            Status:  assigned
                Priority:  major      |         Milestone:  2013 Month 06 -
               Component:             |  June (3.2.x bug fixing)
   Installation                       |           Version:
              Resolution:             |          Keywords:
              Blocked By:             |          Blocking:
           Tests Updated:  0          |       Affects DOC:  0
Patch posted for review:  0          |  Red Hat Bugzilla:
                  Source:             |       Effort Type:
        Targeted feature:             |       Design link:
           Design review:  0          |  Fedora test page:
                  Chosen:             |   Needs UI design:
-------------------------------------+-------------------------------------
Release Notes:


-------------------------------------+-------------------------------------
Changes (by mkosek):

  * rhbz:  0 =>


Comment:

  We not support intermediate CAs for external CA install or CA-less
  install. Thus, this ticket cannot be easily solved extensive changes to
  the installer. Related to #3274 (Pilsner milestone).

  Moving back to triage to decide what to do about this ticket.

So you are saying that CA we chain to or get the certs from should
always be a root CA?
Why does it matter for our code whether the CA we deal with a Root CA or
not?

No, this is a case when a CA you pass for FreeIPA is not a direct "parent" of
HTTP/DIRSRV certificates, i.e. there is an intermediate CA between the CA
passed to IPA and the actual certs.

It should not mean that the root CA you pass to IPA must be necessarily a root
CA of the entire chain. Jan, is this correct? Can you elaborate?

Yes, this is correct. The DS certificate must be directly signed by the CA trusted by IPA (specified by --root-ca-cert in ipa-server-install), there may be no intermediate CAs, because ldapsearch and friends and python-ldap don't like them.

Honza

--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to