Christopher Lord via FreeIPA-users wrote: > Hi All, > > We are doing a PoC of FreeIPA using a Sub CA issued by ms-ca as the CA > for FreeIPA. One of the test cases laid out by our security team is that > we need to be able to issue Sub CA certs for each FreeIPA replica so > that we are able to revoke one of the Sub CAs and still have a > functioning FreeIPA stack. However I haven't been able to find a way to > have an issued Sub CA cert per replica server, or how to have a FreeIPA > replica register that its Sub CA cert has been revoked. > > Is it possible to do these? If so, could I please be pointed to the > appropriate doco?
I think there is a misunderstanding of what an IPA master is, and what a "replica" is. The only thing that distinguishes one master from another is the order of installation (the first is assigned the role of renewal master and CRL generator) and the optional services on it (CA, KRA, DNS, AD). They are otherwise all exactly identical. A unique SubCA isn't (and can't be) generated for each new master created. rob > Cheers, > > Chris > > > Christopher Lord > > > > *Systems Engineer* > > <http://> > > *T* +61 2 9994 8587 > *E* christopher.lord@mnfgroup.limited > > *mnfgroup.limited <https://mnfgroup.limited>* > > <http://> > > This communication is intended only for the person to whom it is > addressed and may contain confidential material. If you received this > communication in error, please inform the sender immediately and delete > all copies. Please think of the environment before printing this email. > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
