John Spooner via FreeIPA-users wrote: >> I'm surprised LE issued a cert at all. It doesn't issue CA subordinate >> certificates. You are not likely to find a public CA that will issue you >> a subordinate CA without lots of $$$ and a ton of work due to >> transparency requirements. > > So standard practice using FIPA would be to create our own chain within that > environment and anything that needs outside communication would get signed by > LE as a leaf node. Is that true?
That's certainly one way to do it. The question becomes: do you need outside communication? It adds additional maintenance because the responsibility of maintaining those certificates calls to you the administrator rather than IPA handling it. > > I hate to ask basic questions, but I haven't been able to find any standard > practice documentation so my process is to make assumptions and press buttons. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ in the Identity Management section. > >> What is the ultimate goal for using an external CA? So that clients will >> already trust the issued certificates without requiring distributing the >> chain? >> >> You can provide your own certificates for HTTP and LDAP, from LE or >> elsewhere, either during the installation process or after the >> installation is done. See the ipa-server-install and >> ipa-server-certinstall man pages. >> >> rob > > Yes. This exactly, but I may be approaching this from the wrong angle as you > explain in the second paragraph, but I didn't know what other perspectives > there were. > > When banging one's head on the desk it feels good to finally stop. Thank you. > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
