Mateusz
>> > There is "X.509 Name Constraints" extension for certificates, however
>> > external CA would have to make this extension as "critical" (which would
>> > probably cause compatibility issues with some software - "critical" means
>> > that if some app doesn't know how to handle this
William,
On 02.08.2016 at 00:41, William Muriithi wrote:
>
> > > Which external CA would be more open to signing this kind of
certificate?
> >
> > I'm afraid that there is not a single external CA that would sign
request for CA certificate. (...)
>
> Understandable. Did speak with them and
Mateusz
> >
> > Which external CA would be more open to signing this kind of
certificate?
>
> I'm afraid that there is not a single external CA that would sign request
for CA certificate. They need to make sure that certificate would not be
used for fraudulent purposes (for e.g. Man-in-the-Middle
William,
On 29.07.2016 at 22:27, William Muriithi wrote:
> Is anyone here been successful in getting external CA to sign this
kind of certificate? I have just tried to convince DigiCert for 2 days
that there is no harm issuing this kind of certificate as long us it's
restricted to one
Clark,
Thank you.
> I personally haven't done this, but from https://www.freeipa.org/page/PKI
>
> "when --external-ca option is used, ipa-server-install produces a
certificate certificate request for it's CA certificate so that it can be
properly chained in existing PKI infrastructure."
>
Is
I personally haven't done this, but from https://www.freeipa.org/page/PKI
"when --external-ca option is used, ipa-server-install produces a
certificate certificate request for it's CA certificate so that it can be
properly chained in existing PKI infrastructure."
and from
Hello
I want to use an external certificate when setting up a new FreeIPA
next week and plan to send the CSR tomorrow.
I would like to source a certificate for example.com and use it on
FreeIPA on eng.example.com. I can't specifically set the FreeIPA on
example.com because we have active