On Mon, 2013-09-09 at 11:17 +0200, Jan Cholasta wrote: > Another question: > > Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive > set of trusted CAs, or is using one set for everything good enough? > Using distinctive sets would allow granular control over what CA is > trusted for what service (e.g. trust CA1 to issue certificates for LDAP > and HTTP, but trust CA2 only to issue certificates for HTTP), but I'm > not sure how useful that would be in the real world.
Seem very complicated. At most I would see as sort of useful to be able to set a different CA just for HTTP (due to default browsers list of CA), but not for anything else. But for this case I would rather write instructions on how to create a frontend on a *different* server, that just proxies in all requests to FreeIPA, just for people that want to use browsers w/o distributing the FreeIPA CA cert. That will solve their problem w/o complicating ours. We could also explain how to configure SNI (easier than proxy, but depends on whether mod_nss supports it, mod_ssl does), so that people can use a public cert with a 'public' name and keep FreeIPA own certs for internal management and joins etc... Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel