On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users wrote: > We had a developer team deploy their own CA and then issue a slew > of certificates for users' workstations and other servers, and now > they want us to deploy those certificates more widely. I'd rather > find a way to bring their CA under ours so that the root CA > certificate we already distribute will make theirs "just work" > rather than having to distribute another set of root CA > certificates. > > Is this possible, or would they have to start over and build a > subordinate CA from the ground up to make it work? If it's perhaps > possible, under what circumstances? > Hi Bret,
It is possible, but there are restrictions about what the sub-CAs subject DN can be. Have a read of this blog post: https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html If your developer team's CA certificate does not fit those requirements, please share the details of the certificate (especially Subject DN) and I'll see if I can find a workaround. Cheers, Fraser > > Thanks! > > Bret > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure