On 06/07/2013 09:08 AM, Jan Cholasta wrote:
> On 7.6.2013 14:54, Dmitri Pal wrote:
>> On 06/07/2013 08:26 AM, Martin Kosek wrote:
>>> On 06/07/2013 02:04 PM, Dmitri Pal wrote:
>>>> On 06/07/2013 03:47 AM, freeipa wrote:
>>>>> #3668: CA-less install fails when intermediate CA is used
>>>>> -------------------------------------+-------------------------------------
>>>>>
>>>>>                 Reporter:  jcholast   |             Owner:  jcholast
>>>>>                     Type:  defect     |            Status:  assigned
>>>>>                 Priority:  major      |         Milestone:  2013
>>>>> Month 06 -
>>>>>                Component:             |  June (3.2.x bug fixing)
>>>>>    Installation                       |           Version:
>>>>>               Resolution:             |          Keywords:
>>>>>               Blocked By:             |          Blocking:
>>>>>            Tests Updated:  0          |       Affects DOC:  0
>>>>> Patch posted for review:  0          |  Red Hat Bugzilla:
>>>>>                   Source:             |       Effort Type:
>>>>>         Targeted feature:             |       Design link:
>>>>>            Design review:  0          |  Fedora test page:
>>>>>                   Chosen:             |   Needs UI design:
>>>>> -------------------------------------+-------------------------------------
>>>>>
>>>>> Release Notes:
>>>>>
>>>>>
>>>>> -------------------------------------+-------------------------------------
>>>>>
>>>>> Changes (by mkosek):
>>>>>
>>>>>   * rhbz:  0 =>
>>>>>
>>>>>
>>>>> Comment:
>>>>>
>>>>>   We not support intermediate CAs for external CA install or CA-less
>>>>>   install. Thus, this ticket cannot be easily solved extensive
>>>>> changes to
>>>>>   the installer. Related to #3274 (Pilsner milestone).
>>>>>
>>>>>   Moving back to triage to decide what to do about this ticket.
>>>>>
>>>> So you are saying that CA we chain to or get the certs from should
>>>> always be a root CA?
>>>> Why does it matter for our code whether the CA we deal with a Root
>>>> CA or
>>>> not?
>>> No, this is a case when a CA you pass for FreeIPA is not a direct
>>> "parent" of
>>> HTTP/DIRSRV certificates, i.e. there is an intermediate CA between
>>> the CA
>>> passed to IPA and the actual certs.
>>
>> My question is what prevents you to give IPA the certs from the direct
>> parent. What is the use case or real world scenario where the parent
>> certs are not available?
>> Just trying to wrap my head.
>>
>> I have CA 1 and CA 2. CA 2 is a sub CA of 1.
>> I have certs from CA 1
>> If I pass them to IPA but point to CA2 it would not work. OK
>> The example can be that CA1 is a public CA and CA2 is my CA. But what
>> prevents me from giving IPA the certs from CA2? Why would I try to give
>> IPA certs from CA1?
>>
>> Do I understand the scenario correctly?
>>
>
> Nothing is preventing you to give IPA certs from CA2, this works fine.
>
> The problem is that if you pass IPA certificates issued by CA2 and
> point it to CA1 at the same time, it does not work (despite having the
> complete trust chain).
>
> Honza
>

But why would you do so? What would be the reason and business case? Why
not to point to CA2?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to