Maciej Drobniuch via FreeIPA-users wrote:
> Hey Guys,
> 
> I want to use the IPA CA for PKI on some of our web services( mostly of
> premises - that's why )
> 
> What I do not know is:
> 1. How to add a profile id for certificate generation for the user so
> he/she can paste a CSR and get a  certificate.

https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html

> 2. How to turn on/off automatic signing. ( I would like to review the
> request before signing )

No way to do that sort of workflow in IPA right now. You might be able
to figure out how to do it in dogtag directly but you'd be off the edge
of the map and wouldn't have any support for it.

> 3. How can I export the IPA revocation list so it's compliant with
> servers (CRL format)

It already exists at http://ipa-ca.example.com/ipa/crl/MasterCRL.bin

> 4. If this a bad idea?

Not really.

You might want to look into Sub-CAs as well so you have have a different
subject for your user CA.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/MVTSO5EYR5JWZPSZMFIPJI7AGZF4EMBS/

Reply via email to