On Thu, Jan 31, 2019 at 10:30:36PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On to, 31 tammi 2019, Natxo Asenjo via FreeIPA-users wrote: > > hi, > > > > at work I am testing using a light sub-ca with openvpn to limit the scope > > of hosts that can auto request a certificate. > > > > So far so good, really impressed with how well it works. > > > > The question I cannot answer is: are there specific urls for crl/ocsp for > > sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well? > There is no CRL support for subCAs. OCSP should work just fine. > > See https://bugzilla.redhat.com/show_bug.cgi?id=1478394 for details. > To expand on Alexander's reply, the OCSP URL is indeed the same. This works because all the lightweight CAs (and the main CA) share a single serial number domain. So the OCSP responder uses the serial number to find the correct issuer with which to sign the OCSP response.
Cheers, Fraser > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
