On 02.08.2016 at 00:41, William Muriithi wrote:
> > > Which external CA would be more open to signing this kind of certificate?
> >
> > I'm afraid that there is not a single external CA that would sign request for CA certificate. (...)
> Understandable. Did speak with them and realised its not a straight forward thing. As I understand, some CA like Symantec may allow sub CA.

They still would not allow you to have control of sub-CA private key, probably. After numerous incidents with mis-issued certificates, browser vendors want to be rather safe than sorry - and they have "no mercy" policy for any incidents (Symantec is forced to report every certificate issued to publicly available certificate transparency logservers, CNNIC can no longer issue valid certificates), which makes CA owners rather cautious. Revoking trust in one's root CA can even result in bankruptcy of such company (see DigiNotar case).

> > There is "X.509 Name Constraints" extension for certificates, however external CA would have to make this extension as "critical" (which would probably cause compatibility issues with some software - "critical" means that if some app doesn't know how to handle this extension, it has to report error and do not proceed with establishing secure connection).
> The certificate with CA basic constraint would only have been used on freeIPA, not on other servers. I believe freeIPA could handle such a certificate.

FreeIPA should be perfectly fine, the problem is with workstations. While (almost?) all software is capable of understanding CA basic constraint (as it was known and used for ages), limiting CA to single domain zone using X.509 Name Constraints can have some side effects (apps on user workstation have to validate all certificates up to root CA - if it happens that they don't understand name constraints, they will choke on IPA CA certificate if such extension is marked "critical"; I think that's the case with majority of Apple devices). I'm not aware of any CA that issues technically constrained sub-CAs and I think that according to latest guidelines, they are required to publicly disclose other sub-CAs issued (and such CAs have to undergo full WebTrust audit and have CPS just like regular CA).

I'm using name-constrained CA certificate from our internal root CA, however, name constraints extension is not marked as critical. Our internally-issued certificates are to be seen only by admins, so it's just additional precaution (in case some admin would find it funny to use certificate issued from internal CA to MitM another admin) rather than security measure.

> > As I understand, --external-ca option should be used when you already have configured PKI infrastructure in your network (for example Active Directory Certificate Services) and spinning another internal CA is not a big deal. You've mentioned that there is already an Active Directory domain, (...)
> >
> Interesting. Active Directory certificate service would also be using self signed certificate, correct?

Correct. AD Certificate Service can generate its own self-signed root CA certificate, just like FreeIPA with internal CA does. As far as I know, depending on how you initialize AD CS, this certificate would be deployed to domain-joined machines automatically or you would have to push it through Group Policies.

> Saw another thread today of someone using --external-ca flag. Wish someone who has gone through the process could document the process including if they are using external CA

Installation with external CA is quite similar to default setup - when you indicate that you want to use external CA, installation process has two phases. First, ipa-server-install performs some tasks and generates CSR request file. Then, you sign it using your other CA (just make sure it preserves CA constraint; we were using EasyRSA, which has separate command/profile for creating subordinate CAs). Next, you save your signed certificate back to your new IPA server and invoke installer once again with additional arguments (this command is shown when first stage finishes) - and configuration process continues just like without external CA.

Best regards
Mateusz Małek

Network and Computer Systems Administrator
Intelligent Information Systems Group
Department of Computer Science
AGH University of Science and Technology

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to