Okay, I'll give it a try. Thanks!
-- Bret Wortman bret.wort...@damascusgrp.com On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote: > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote: > > Fraser, > > > > It doesn't look like we fit the model. Our IPA CA's cert is as > > expected, but the other one is: > > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer= > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG > > Web Team Root CA > > > > Since I don't see a hostname in there anywhere (and in fact, > > further conversations with this team turned up the fact that > > they're just creating these by hand using openssl commands rather > > than running any sort of service at all), I'm hesitant to just > > barge ahead and try to make it work on my own... > > The CN (damascusgrp.com) is a domain name. You can add a host > object with that name to FreeIPA. I think the procedure outlined in > the blog post should work for you. > > Cheers, > Fraser > > > > > -- > > Bret Wortman > > bret.wort...@damascusgrp.com > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users > > > wrote: > > > > We had a developer team deploy their own CA and then issue a slew > > > > of certificates for users' workstations and other servers, and now > > > > they want us to deploy those certificates more widely. I'd rather > > > > find a way to bring their CA under ours so that the root CA > > > > certificate we already distribute will make theirs "just work" > > > > rather than having to distribute another set of root CA > > > > certificates. > > > > > > > > Is this possible, or would they have to start over and build a > > > > subordinate CA from the ground up to make it work? If it's perhaps > > > > possible, under what circumstances? > > > > > > > Hi Bret, > > > > > > It is possible, but there are restrictions about what the sub-CAs > > > subject DN can be. Have a read of this blog post: > > > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html > > > > > > If your developer team's CA certificate does not fit those > > > requirements, please share the details of the certificate > > > (especially Subject DN) and I'll see if I can find a workaround. > > > > > > Cheers, > > > Fraser > > > > > > > > > > > Thanks! > > > > > > > > Bret > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > > To unsubscribe send an email to > > > > freeipa-users-le...@lists.fedorahosted.org > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > Do not reply to spam on the list, report it: > > > > https://pagure.io/fedora-infrastructure > > > > > > > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
