On Fri, Feb 6, 2015 at 3:30 PM, Martin Kosek <mko...@redhat.com> wrote:
> On 02/06/2015 12:53 AM, Christopher Young wrote: > > Obvious next question: Any plans to implement that functionality or > advice > > on how one might get some level of functionality for this? Would it be > > possible to create another command-line based openssl CA that could issue > > these but using IPA as the root CA for those? > > As for FreeIPA plans, we plan to vastly improve our flexibility to process > certificates in next upstream version - FreeIPA 4.2. In next version, one > should be able to create other certificate profiles (from FreeIPA default > service cert profile) or even subCAs to do what you want. > > nice. When do all these things land in RHEL? > As for current workarounds, you would have to issue and sign a for example > NSS > or openssl based subCA and then sign user certs there. But I would leave > Fraser > or Jan to tell if this would be really possible. some examples on how to do that would be very helpful. I would love to authenticate users to mysql using our CA, for instance. -- regards, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project