N. V. via FreeIPA-users wrote: > Hi FreeIPA Team, > > I’m currently working on a project where we plan to use FreeIPA, and > more specifically it's PKI, and while analysing the available > documentation I could not be completely sure if the current version > supports having Sub-CAs or Lightweight CAs signed by an external CA. Can > you please clarify this?
AFAIK sub CAs can only be be signed by its own root CA. It is automatic when a request for one is made. Seems like renewing them would be pretty complex. > If not, do you have any plans to add this feature in future releases? > And if so, do you have an idea when that version might be available? You'd need to ask the dogtag project. They would have to implement it first, then it would need to be integrated into IPA. This seems like a pretty niche request so I wouldn't hold out much hope. Why do you need a sub CA signed by an external CA? Having a compelling use case would improve the chances of implementation. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
