On 05/04/2015 01:19 PM, Harald Dunkel wrote:
> Hi folks,
> Instead of a self-signed certificate I would like to use an external
> CA to sign freeipa's CSR ("ipa-server-install --external-ca").
> Question:
> Is pathlen:0, e.g.
>       basicConstraints=critical,CA:TRUE, pathlen:0
> sufficient for freeipa's CA certificate?

I would say it should be sufficient for FreeIPA CA for now, given it does not
allow subordinate CAs. However, I am still CCing Fraser and Honza for
reference, in case there would be some limitation in Dogtag/our CA certificate
that would limit use of the basicConstraints extension.

Note that this basiConstrain would surely prevent you from using the upcoming


but this is OK with you, I assume. BTW, Fraser, we should record a task to
properly watch for the pathlen limitation and have nice error messages around
it when admin attempts to use Sub-CAs.

Final note, there is a related ticket:


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to