On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote: > Fraser, > > It doesn't look like we fit the model. Our IPA CA's cert is as > expected, but the other one is: > > $ openssl x509 -noout -in web-ca.crt -issuer issuer= > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG > Web Team Root CA > > Since I don't see a hostname in there anywhere (and in fact, > further conversations with this team turned up the fact that > they're just creating these by hand using openssl commands rather > than running any sort of service at all), I'm hesitant to just > barge ahead and try to make it work on my own... The CN (damascusgrp.com) is a domain name. You can add a host object with that name to FreeIPA. I think the procedure outlined in the blog post should work for you.
Cheers, Fraser > > -- > Bret Wortman > bret.wort...@damascusgrp.com > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users > > wrote: > > > We had a developer team deploy their own CA and then issue a slew > > > of certificates for users' workstations and other servers, and now > > > they want us to deploy those certificates more widely. I'd rather > > > find a way to bring their CA under ours so that the root CA > > > certificate we already distribute will make theirs "just work" > > > rather than having to distribute another set of root CA > > > certificates. > > > > > > Is this possible, or would they have to start over and build a > > > subordinate CA from the ground up to make it work? If it's perhaps > > > possible, under what circumstances? > > > > > Hi Bret, > > > > It is possible, but there are restrictions about what the sub-CAs > > subject DN can be. Have a read of this blog post: > > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html > > > > If your developer team's CA certificate does not fit those > > requirements, please share the details of the certificate > > (especially Subject DN) and I'll see if I can find a workaround. > > > > Cheers, > > Fraser > > > > > > > > Thanks! > > > > > > Bret > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > Do not reply to spam on the list, report it: > > > https://pagure.io/fedora-infrastructure > > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
