William,
On 02.08.2016 at 00:41, William Muriithi wrote:
>
> > > Which external CA would be more open to signing this kind of
certificate?
> >
> > I'm afraid that there is not a single external CA that would sign
request for CA certificate. (...)
>
> Understandable. Did speak with them and realised its not a straight
forward thing. As I understand, some CA like Symantec may allow sub CA.
They still would not allow you to have control of sub-CA private key,
probably. After numerous incidents with mis-issued certificates, browser
vendors want to be rather safe than sorry - and they have "no mercy"
policy for any incidents (Symantec is forced to report every certificate
issued to publicly available certificate transparency logservers, CNNIC
can no longer issue valid certificates), which makes CA owners rather
cautious. Revoking trust in one's root CA can even result in bankruptcy
of such company (see DigiNotar case).
> > There is "X.509 Name Constraints" extension for certificates,
however external CA would have to make this extension as "critical"
(which would probably cause compatibility issues with some software -
"critical" means that if some app doesn't know how to handle this
extension, it has to report error and do not proceed with establishing
secure connection).
>
> The certificate with CA basic constraint would only have been used on
freeIPA, not on other servers. I believe freeIPA could handle such a
certificate.
FreeIPA should be perfectly fine, the problem is with workstations.
While (almost?) all software is capable of understanding CA basic
constraint (as it was known and used for ages), limiting CA to single
domain zone using X.509 Name Constraints can have some side effects
(apps on user workstation have to validate all certificates up to root
CA - if it happens that they don't understand name constraints, they
will choke on IPA CA certificate if such extension is marked "critical";
I think that's the case with majority of Apple devices). I'm not aware
of any CA that issues technically constrained sub-CAs and I think that
according to latest guidelines, they are required to publicly disclose
other sub-CAs issued (and such CAs have to undergo full WebTrust audit
and have CPS just like regular CA).
I'm using name-constrained CA certificate from our internal root CA,
however, name constraints extension is not marked as critical. Our
internally-issued certificates are to be seen only by admins, so it's
just additional precaution (in case some admin would find it funny to
use certificate issued from internal CA to MitM another admin) rather
than security measure.
> > As I understand, --external-ca option should be used when you
already have configured PKI infrastructure in your network (for example
Active Directory Certificate Services) and spinning another internal CA
is not a big deal. You've mentioned that there is already an Active
Directory domain, (...)
> >
> Interesting. Active Directory certificate service would also be using
self signed certificate, correct?
Correct. AD Certificate Service can generate its own self-signed root CA
certificate, just like FreeIPA with internal CA does. As far as I know,
depending on how you initialize AD CS, this certificate would be
deployed to domain-joined machines automatically or you would have to
push it through Group Policies.
> Saw another thread today of someone using --external-ca flag. Wish
someone who has gone through the process could document the process
including if they are using external CA
Installation with external CA is quite similar to default setup - when
you indicate that you want to use external CA, installation process has
two phases. First, ipa-server-install performs some tasks and generates
CSR request file. Then, you sign it using your other CA (just make sure
it preserves CA constraint; we were using EasyRSA, which has separate
command/profile for creating subordinate CAs). Next, you save your
signed certificate back to your new IPA server and invoke installer once
again with additional arguments (this command is shown when first stage
finishes) - and configuration process continues just like without
external CA.
--
Best regards
Mateusz Małek
Network and Computer Systems Administrator
Intelligent Information Systems Group
Department of Computer Science
AGH University of Science and Technology
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project