Hi, I am currently trying to use FreeIPA to issue client certificates for some internal application we have. (More precisely, SSL double authentication between two of my applications, client side would be java, server-side would be apache httpd.) I considered two options :
1. Issue client certificates directly from FreeIPA : It do not seems that it's currently "supported". I can actually generate a client certificate by creating a new principal for a host, and use ipa-getcert to generate a certificate for it. However, this certificate is valid for both user and server authentication, and I cannot change it. Furthermore, I cannot change the CN of the certificate, it is the server's hostname for which the pincipal has been generated. That's a poor solution. 2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to do whatever I want to do. I tried to use the dogtag profiles with the ipa-getcert -T option, but the profiles were ignored when I tried to use them. And I always got 'regular' certificates. I did some research, and found this RFE : http://www.freeipa.org/page/V4/Sub-CAs And this Sub-CA notions seems to be perfect for what I want to do. When I'm looking at the ticket, it seems that it is quietly sleeping somewhere, remaining not updated. I would love to see this feature in FreeIPA v4.2, has anyone a status on this RFE and it's current status ? Cheers, -- Thibaut Pouzet Lyra Network Ingénieur Systèmes et Réseaux (+33) 5 31 22 40 08 www.lyra-network.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project