Maciej Drobniuch via FreeIPA-users wrote:
> Hey Guys,
> I want to use the IPA CA for PKI on some of our web services( mostly of
> premises - that's why )
> What I do not know is:
> 1. How to add a profile id for certificate generation for the user so
> he/she can paste a CSR and get a  certificate.

> 2. How to turn on/off automatic signing. ( I would like to review the
> request before signing )

No way to do that sort of workflow in IPA right now. You might be able
to figure out how to do it in dogtag directly but you'd be off the edge
of the map and wouldn't have any support for it.

> 3. How can I export the IPA revocation list so it's compliant with
> servers (CRL format)

It already exists at

> 4. If this a bad idea?

Not really.

You might want to look into Sub-CAs as well so you have have a different
subject for your user CA.

FreeIPA-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to