Mateusz
>> > There is "X.509 Name Constraints" extension for certificates, however >> > external CA would have to make this extension as "critical" (which would >> > probably cause compatibility issues with some software - "critical" means >> > that if some app doesn't know how to handle this extension, it has to >> > report >> > error and do not proceed with establishing secure connection). >> >> The certificate with CA basic constraint would only have been used on >> freeIPA, not on other servers. I believe freeIPA could handle such a >> certificate. > > FreeIPA should be perfectly fine, the problem is with workstations. While > (almost?) all software is capable of understanding CA basic constraint (as > it was known and used for ages), limiting CA to single domain zone using > X.509 Name Constraints can have some side effects (apps on user workstation > have to validate all certificates up to root CA - if it happens that they > don't understand name constraints, they will choke on IPA CA certificate if > such extension is marked "critical"; I think that's the case with majority > of Apple devices). I'm not aware of any CA that issues technically > constrained sub-CAs and I think that according to latest guidelines, they > are required to publicly disclose other sub-CAs issued (and such CAs have to > undergo full WebTrust audit and have CPS just like regular CA). > Interesting, now I understand what you meant. Make a lot of sense. >> > As I understand, --external-ca option should be used when you already >> > have configured PKI infrastructure in your network (for example Active >> > Directory Certificate Services) and spinning another internal CA is not a >> > big deal. You've mentioned that there is already an Active Directory >> > domain, >> > (...) >> > >> Interesting. Active Directory certificate service would also be using self >> signed certificate, correct? > > Correct. AD Certificate Service can generate its own self-signed root CA > certificate, just like FreeIPA with internal CA does. As far as I know, > depending on how you initialize AD CS, this certificate would be deployed to > domain-joined machines automatically or you would have to push it through > Group Policies. Thanks, I understand the purpose of --external-ca flag now petty well > -- > Best regards > Mateusz Małek Thanks a lot Mateusz. Really appreciate your great response. I now do feel I have all the info I was looking for when I started this thread. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project