lejeczek via FreeIPA-users wrote: > On 18/07/2019 00:49, Fraser Tweedale wrote: >> On Wed, Jul 17, 2019 at 12:46:15PM +0100, lejeczek via FreeIPA-users wrote: >>>>> Hi, >>>>> please have a look at [1] Changing the Certificate chain: >>>>> ----8<---- >>>>> Self-signed CA certificate → externally-signed CA certificate >>>>> Add the --external-ca option to ipa-cacert-manage renew. This renews >>>>> the >>>>> self-signed CA certificate as an externally-signed CA certificate. >>>>> For details on running the command with this option, see Section >>>>> 26.2.2, >>>>> “Renewing CA Certificates Manually”. >>>>> ---->8---- >>>>> >>>>> you need to specify --external-ca --external-ca-type ms-cs >>>>> --external-ca-profile MySubCA >>>>> >>>> But replace "MySubCA" with the appropriate template name. Or leave >>>> it out if the default template name ("SubCA") is correct. You can >>>> also specify template by OID. Read `man 1 ipa-cacert-manage` for >>>> full details. >>>> >>>> Cheers, >>>> Fraser >>> AD's end - is "Appendix B: creating a custom sub-CA certificate >>> template" a must-have or optional, and can be skipped over to "Appendix >>> C: issuing a certificate" >>> >>> I imagine quite a few of us, those who do not have control over AD >>> domain and need to rely on those who have, must think that question. >>> >> It is not essential to use a custom sub-CA template for the IPA CA. >> The default ("SubCA") works just fine (subject to policy). > > I confess I skipped it and just went straight to "submit request" and > then back to IPA, which worked okey (sorry, UTF8 (win 2016) was the bit > needed, without it "renew" failed) > > How can one check, look for confirmation (apart from executed commands > being successful), for peace of mind & curiosity, that AD is in IPA's > cert chain?
Look at issuer in the IPA CA certificate. It should be the DN of the AD CA. rob > >>> many thanks, L. >>> >>> ps. templetes/profiles - is there more one could read to understand what >>> is SubCA, what is IPA's default profile, etc.? >>> >> "Template" in AD and "profile" in IPA are the same concept: defining >> how to build the certificate to be issued, and constraints. >> >> The AD "SubCA" template issues a CA certificate (Basic Constraints >> extension with CA: TRUE) signed by the AD CA. Common reasons to >> define a custom sub-CA template are to specify the pathLenConstraint >> (i.e. can the subject issue further sub-CAs?), or the Name >> Constraints extension (what namespaces can the subject issue >> certificates for?). >> >> I don't know for sure if AD has a default template; I have only ever >> seen the template explicitly specified in the CSR but maybe there >> are other ways. >> >> In IPA the default profile is "caIPAserviceCert" which is suitable >> for TLS services. >> >> Cheers, >> Fraser > > Is changing the chain (apart from the risk attached to doing something, > anything, and that something can go wrong) healthy? (security) eg. > Having AD CA as root then changing to another AD, then maybe back to > IPA's own. > > many thanks, L. > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org