Clark, Thank you.
> I personally haven't done this, but from https://www.freeipa.org/page/PKI > > "when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." > Is anyone here been successful in getting external CA to sign this kind of certificate? I have just tried to convince DigiCert for 2 days that there is no harm issuing this kind of certificate as long us it's restricted to one domain without success. Which external CA would be more open to signing this kind of certificate? Lastly, would there be any harm enrolling IPA clients to this server before feeding it the signed certificate ? Regards William
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project