Hi,
Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
On 05/04/2015 01:19 PM, Harald Dunkel wrote:
Hi folks,
Instead of a self-signed certificate I would like to use an external
CA to sign freeipa's CSR ("ipa-server-install --external-ca").
Question:
Is pathlen:0, e.g.
basicConstraints=critical,CA:TRUE, pathlen:0
sufficient for freeipa's CA certificate?
I would say it should be sufficient for FreeIPA CA for now, given it does not
allow subordinate CAs. However, I am still CCing Fraser and Honza for
reference, in case there would be some limitation in Dogtag/our CA certificate
that would limit use of the basicConstraints extension.
I'm not aware of any.
Note that this basiConstrain would surely prevent you from using the upcoming
feature
http://www.freeipa.org/page/V4/Sub-CAs
but this is OK with you, I assume. BTW, Fraser, we should record a task to
properly watch for the pathlen limitation and have nice error messages around
it when admin attempts to use Sub-CAs.
Final note, there is a related ticket:
https://fedorahosted.org/freeipa/ticket/3466
Martin
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project