Jan Pazdziora wrote:
On Fri, Jun 07, 2013 at 09:23:48AM -0400, Dmitri Pal wrote:
The problem is that if you pass IPA certificates issued by CA2 and
point it to CA1 at the same time, it does not work (despite having the
complete trust chain).
But why would you do so? What would be the reason and business case? Why
not to point to CA2?
Could the business case be an IPA server in DMZ which does not have
access to CA2 but it can get to (public) CA1?
A client does need to be able to contact a CA in order to trust it.
Freeipa-devel mailing list