Ok, makes sense. You'd need to bring it up the dogtag pki project. We use the features they expose.
rob N. V. wrote: > Hi Rob, > > Thanks for your answer. > > The use cases are basically the ones described > here: > https://github.com/dogtagpki/pki/wiki/Lightweight-CA-Use-Cases#hosting-unrelated-cas--sub-cas > In our case, the scenario would be to have FreeIPA configured with a > root CA (self-signed or not) and some "Intermediate" CAs, signed by this > root CA, that would serve different modules within our system, but > having the possibility to transfer the ownership of one or more of these > modules to a third-party, with it's own CA, keeping everything working > without having to generate and distribute certificates for all of the > components (devices, laptops, etc.). > > Regards, > Nelson V. > > > > > On Wed, 9 Oct 2024 at 16:42, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > N. V. via FreeIPA-users wrote: > > Hi FreeIPA Team, > > > > I’m currently working on a project where we plan to use FreeIPA, and > > more specifically it's PKI, and while analysing the available > > documentation I could not be completely sure if the current version > > supports having Sub-CAs or Lightweight CAs signed by an external > CA. Can > > you please clarify this? > > AFAIK sub CAs can only be be signed by its own root CA. It is automatic > when a request for one is made. Seems like renewing them would be pretty > complex. > > > If not, do you have any plans to add this feature in future releases? > > And if so, do you have an idea when that version might be available? > > You'd need to ask the dogtag project. They would have to implement it > first, then it would need to be integrated into IPA. This seems like a > pretty niche request so I wouldn't hold out much hope. > > Why do you need a sub CA signed by an external CA? Having a compelling > use case would improve the chances of implementation. > > rob > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
