lejeczek via FreeIPA-users wrote:
> On 18/07/2019 00:49, Fraser Tweedale wrote:
>> On Wed, Jul 17, 2019 at 12:46:15PM +0100, lejeczek via FreeIPA-users wrote:
>>>>> Hi,
>>>>> please have a look at [1] Changing the Certificate chain:
>>>>> ----8<----
>>>>> Self-signed CA certificate → externally-signed CA certificate
>>>>> Add the --external-ca option to ipa-cacert-manage renew. This renews
>>>>> the
>>>>> self-signed CA certificate as an externally-signed CA certificate.
>>>>> For details on running the command with this option, see Section
>>>>> 26.2.2,
>>>>> “Renewing CA Certificates Manually”.
>>>>> ---->8----
>>>>>
>>>>> you need to specify --external-ca --external-ca-type ms-cs
>>>>> --external-ca-profile MySubCA
>>>>>
>>>> But replace "MySubCA" with the appropriate template name. Or leave
>>>> it out if the default template name ("SubCA") is correct. You can
>>>> also specify template by OID. Read `man 1 ipa-cacert-manage` for
>>>> full details.
>>>>
>>>> Cheers,
>>>> Fraser
>>> AD's end - is "Appendix B: creating a custom sub-CA certificate
>>> template" a must-have or optional, and can be skipped over to "Appendix
>>> C: issuing a certificate"
>>>
>>> I imagine quite a few of us, those who do not have control over AD
>>> domain and need to rely on those who have, must think that question.
>>>
>> It is not essential to use a custom sub-CA template for the IPA CA.
>> The default ("SubCA") works just fine (subject to policy).
>
> I confess I skipped it and just went straight to "submit request" and
> then back to IPA, which worked okey (sorry, UTF8 (win 2016) was the bit
> needed, without it "renew" failed)
>
> How can one check, look for confirmation (apart from executed commands
> being successful), for peace of mind & curiosity, that AD is in IPA's
> cert chain?
Look at issuer in the IPA CA certificate. It should be the DN of the AD CA.
rob
>
>>> many thanks, L.
>>>
>>> ps. templetes/profiles - is there more one could read to understand what
>>> is SubCA, what is IPA's default profile, etc.?
>>>
>> "Template" in AD and "profile" in IPA are the same concept: defining
>> how to build the certificate to be issued, and constraints.
>>
>> The AD "SubCA" template issues a CA certificate (Basic Constraints
>> extension with CA: TRUE) signed by the AD CA. Common reasons to
>> define a custom sub-CA template are to specify the pathLenConstraint
>> (i.e. can the subject issue further sub-CAs?), or the Name
>> Constraints extension (what namespaces can the subject issue
>> certificates for?).
>>
>> I don't know for sure if AD has a default template; I have only ever
>> seen the template explicitly specified in the CSR but maybe there
>> are other ways.
>>
>> In IPA the default profile is "caIPAserviceCert" which is suitable
>> for TLS services.
>>
>> Cheers,
>> Fraser
>
> Is changing the chain (apart from the risk attached to doing something,
> anything, and that something can go wrong) healthy? (security) eg.
> Having AD CA as root then changing to another AD, then maybe back to
> IPA's own.
>
> many thanks, L.
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
