On 29.07.2016 at 22:27, William Muriithi wrote:

> Is anyone here been successful in getting external CA to sign this kind of certificate? I have just tried to convince DigiCert for 2 days that there is no harm issuing this kind of certificate as long us it's restricted to one domain without success.
> Which external CA would be more open to signing this kind of certificate?

I'm afraid that there is not a single external CA that would sign request for CA certificate. They need to make sure that certificate would not be used for fraudulent purposes (for e.g. Man-in-the-Middle attacks) which usually means that they keep control of all subordinate CAs they create (you can only place requests for client or server certificates - but domain ownership validation and certificate issuance takes place in their infrastructure) or they verified that you securely store your private key in dedicated HSM and have adequate policies and rules regarding certificate issuance.

There is "X.509 Name Constraints" extension for certificates, however external CA would have to make this extension as "critical" (which would probably cause compatibility issues with some software - "critical" means that if some app doesn't know how to handle this extension, it has to report error and do not proceed with establishing secure connection). Also, if they decide to sell such CA certificate, it would probably be much more expensive than "simple" one (as this would allow you to issue further certificates for your domain without paying external CAs for them).

You can either go CA-less and buy certificates for all your services or use free certificates from Let's Encrypt (if you want to want your certificates to validate "nicely" on users own devices) or use internal CA and install its root certificate on all hosts using your IPA server. As I understand, --external-ca option should be used when you already have configured PKI infrastructure in your network (for example Active Directory Certificate Services) and spinning another internal CA is not a big deal. You've mentioned that there is already an Active Directory domain, so the last options seems the easiest one - internal CA root certificate can be deployed to Windows workstation using AD and IPA configured with external CA would automatically deploy internal root CA to Linux workstations on during ipa-client-install.

Best regards
Mateusz Małek

Network and Computer Systems Administrator
Intelligent Information Systems Group
Department of Computer Science
AGH University of Science and Technology

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to