Mateusz > > > > Which external CA would be more open to signing this kind of certificate? > > I'm afraid that there is not a single external CA that would sign request for CA certificate. They need to make sure that certificate would not be used for fraudulent purposes (for e.g. Man-in-the-Middle attacks) which usually means that they keep control of all subordinate CAs they create (you can only place requests for client or server certificates - but domain ownership validation and certificate issuance takes place in their infrastructure) or they verified that you securely store your private key in dedicated HSM and have adequate policies and rules regarding certificate issuance.
Understandable. Did speak with them and realised its not a straight forward thing. As I understand, some CA like Symantec may allow sub CA. > > There is "X.509 Name Constraints" extension for certificates, however external CA would have to make this extension as "critical" (which would probably cause compatibility issues with some software - "critical" means that if some app doesn't know how to handle this extension, it has to report error and do not proceed with establishing secure connection). The certificate with CA basic constraint would only have been used on freeIPA, not on other servers. I believe freeIPA could handle such a certificate. > As I understand, --external-ca option should be used when you already have configured PKI infrastructure in your network (for example Active Directory Certificate Services) and spinning another internal CA is not a big deal. You've mentioned that there is already an Active Directory domain, so the last options seems the easiest one - internal CA root certificate can be deployed to Windows workstation using AD and IPA configured with external CA would automatically deploy internal root CA to Linux workstations on during ipa-client-install. > Interesting. Active Directory certificate service would also be using self signed certificate, correct? Saw another thread today of someone using --external-ca flag. Wish someone who has gone through the process could document the process including if they are using external CA > -- > Best regards > Mateusz Małek Appreciate your feedback a lot. William
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project