On 21/01/2022 23:09, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
Hi guys
I'm for the first time contemplating CA service from a public CA to
subordinate IPA to it - would it make sense with a *.sub.domain cert, if
such one cert one already has from that public CA, to still want to sub
IPA's CA?
(not a CA expert so go easy on me)
I'm not quite sure I understand the question.
I think what you're asking is: I have a wildcard cert from a public CA.
Is that sufficient or should I get my IPA CA signed by the public CA?
For the first question, maybe. You can replace the IPA web and LDAP
certificates with the one from the public CA but it requires manual
intervention at renewal and the more you share that key around the less
secure it is in general.
For the second question, I seriously doubt a public CA will sign an IPA
CA because of policies. And if they did you'd need a small fortune to do it.
rob
That is pretty much what I wondered of.
Now trying to that first thing with "maybe" IPA is not happy.
I've add Root CAs but:
-> $ ipa-server-certinstall -w -d private_key.key ssl_certificate.cer
Directory Manager password:
Enter private key unlock password:
cannot connect to 'https://sucker.private:443/acme/directory': [Errno
111] Connection refused
The ipa-server-certinstall command failed.
...
No KRA in this domain - is that why?
many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
