On 05/04/2015 01:19 PM, Harald Dunkel wrote:
> Hi folks,
>
> Instead of a self-signed certificate I would like to use an external
> CA to sign freeipa's CSR ("ipa-server-install --external-ca").
> Question:
>
> Is pathlen:0, e.g.
>
> basicConstraints=critical,CA:TRUE, pathlen:0
>
> sufficient for freeipa's CA certificate?
I would say it should be sufficient for FreeIPA CA for now, given it does not
allow subordinate CAs. However, I am still CCing Fraser and Honza for
reference, in case there would be some limitation in Dogtag/our CA certificate
that would limit use of the basicConstraints extension.
Note that this basiConstrain would surely prevent you from using the upcoming
feature
http://www.freeipa.org/page/V4/Sub-CAs
but this is OK with you, I assume. BTW, Fraser, we should record a task to
properly watch for the pathlen limitation and have nice error messages around
it when admin attempts to use Sub-CAs.
Final note, there is a related ticket:
https://fedorahosted.org/freeipa/ticket/3466
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
