Hi Rob, Thanks for your answer.
The use cases are basically the ones described here: https://github.com/dogtagpki/pki/wiki/Lightweight-CA-Use-Cases#hosting-unrelated-cas--sub-cas In our case, the scenario would be to have FreeIPA configured with a root CA (self-signed or not) and some "Intermediate" CAs, signed by this root CA, that would serve different modules within our system, but having the possibility to transfer the ownership of one or more of these modules to a third-party, with it's own CA, keeping everything working without having to generate and distribute certificates for all of the components (devices, laptops, etc.). Regards, Nelson V. On Wed, 9 Oct 2024 at 16:42, Rob Crittenden <[email protected]> wrote: > N. V. via FreeIPA-users wrote: > > Hi FreeIPA Team, > > > > I’m currently working on a project where we plan to use FreeIPA, and > > more specifically it's PKI, and while analysing the available > > documentation I could not be completely sure if the current version > > supports having Sub-CAs or Lightweight CAs signed by an external CA. Can > > you please clarify this? > > AFAIK sub CAs can only be be signed by its own root CA. It is automatic > when a request for one is made. Seems like renewing them would be pretty > complex. > > > If not, do you have any plans to add this feature in future releases? > > And if so, do you have an idea when that version might be available? > > You'd need to ask the dogtag project. They would have to implement it > first, then it would need to be integrated into IPA. This seems like a > pretty niche request so I wouldn't hold out much hope. > > Why do you need a sub CA signed by an external CA? Having a compelling > use case would improve the chances of implementation. > > rob > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
