> >
> > Which external CA would be more open to signing this kind of
> I'm afraid that there is not a single external CA that would sign request
for CA certificate. They need to make sure that certificate would not be
used for fraudulent purposes (for e.g. Man-in-the-Middle attacks) which
usually means that they keep control of all subordinate CAs they create
(you can only place requests for client or server certificates - but domain
ownership validation and certificate issuance takes place in their
infrastructure) or they verified that you securely store your private key
in dedicated HSM and have adequate policies and rules regarding certificate

Understandable. Did speak with them and realised its not a straight forward
thing. As I understand, some CA like Symantec may allow sub CA.
> There is "X.509 Name Constraints" extension for certificates, however
external CA would have to make this extension as "critical" (which would
probably cause compatibility issues with some software - "critical" means
that if some app doesn't know how to handle this extension, it has to
report error and do not proceed with establishing secure connection).

The certificate with CA basic constraint would only have been used on
freeIPA, not on other servers. I believe freeIPA could handle such a

> As I understand, --external-ca option should be used when you already
have configured PKI infrastructure in your network (for example Active
Directory Certificate Services) and spinning another internal CA is not a
big deal. You've mentioned that there is already an Active Directory
domain, so the last options seems the easiest one - internal CA root
certificate can be deployed to Windows workstation using AD and IPA
configured with external CA would automatically deploy internal root CA to
Linux workstations on during ipa-client-install.
Interesting. Active Directory certificate service would also be using self
signed certificate, correct?

Saw another thread today of someone using --external-ca flag. Wish someone
who has gone through the process could document the process including if
they are using external CA
> --
> Best regards
> Mateusz Małek
Appreciate your feedback a lot.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to