Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
On 05/04/2015 01:19 PM, Harald Dunkel wrote:
Hi folks,

Instead of a self-signed certificate I would like to use an external
CA to sign freeipa's CSR ("ipa-server-install --external-ca").

Is pathlen:0, e.g.

        basicConstraints=critical,CA:TRUE, pathlen:0

sufficient for freeipa's CA certificate?

I would say it should be sufficient for FreeIPA CA for now, given it does not
allow subordinate CAs. However, I am still CCing Fraser and Honza for
reference, in case there would be some limitation in Dogtag/our CA certificate
that would limit use of the basicConstraints extension.

I'm not aware of any.

Note that this basiConstrain would surely prevent you from using the upcoming


but this is OK with you, I assume. BTW, Fraser, we should record a task to
properly watch for the pathlen limitation and have nice error messages around
it when admin attempts to use Sub-CAs.

Final note, there is a related ticket:



Jan Cholasta

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to