On 02/06/2015 10:38 AM, Natxo Asenjo wrote:
On Fri, Feb 6, 2015 at 3:30 PM, Martin Kosek <mko...@redhat.com <mailto:mko...@redhat.com>> wrote:

    On 02/06/2015 12:53 AM, Christopher Young wrote:
    > Obvious next question:  Any plans to implement that
    functionality or advice
> on how one might get some level of functionality for this? Would it be
    > possible to create another command-line based openssl CA that
    could issue
    > these but using IPA as the root CA for those?

    As for FreeIPA plans, we plan to vastly improve our flexibility to
    certificates in next upstream version - FreeIPA 4.2. In next
    version, one
    should be able to create other certificate profiles (from FreeIPA
    service cert profile) or even subCAs to do what you want.

nice. When do all these things land in RHEL?

It we manage to land 4.2 in RHEL 7.2 then it will be there.
Time will show how successful we will be with this plan so no promises so far.

    As for current workarounds, you would have to issue and sign a for
    example NSS
    or openssl based subCA and then sign user certs there. But I would
    leave Fraser
    or Jan to tell if this would be really possible.

some examples on how to do that would be very helpful. I would love to authenticate users to mysql using our CA, for instance.


Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to