On Mon, 2013-09-09 at 11:17 +0200, Jan Cholasta wrote:
> Another question:
> Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
> set of trusted CAs, or is using one set for everything good enough?
> Using distinctive sets would allow granular control over what CA is
> trusted for what service (e.g. trust CA1 to issue certificates for LDAP
> and HTTP, but trust CA2 only to issue certificates for HTTP), but I'm
> not sure how useful that would be in the real world.
Seem very complicated.
At most I would see as sort of useful to be able to set a different CA
just for HTTP (due to default browsers list of CA), but not for anything
else. But for this case I would rather write instructions on how to
create a frontend on a *different* server, that just proxies in all
requests to FreeIPA, just for people that want to use browsers w/o
distributing the FreeIPA CA cert. That will solve their problem w/o
We could also explain how to configure SNI (easier than proxy, but
depends on whether mod_nss supports it, mod_ssl does), so that people
can use a public cert with a 'public' name and keep FreeIPA own certs
for internal management and joins etc...
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list