[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used
Dmitri Pal
dpal at redhat.com
Fri Jun 7 13:23:48 UTC 2013
On 06/07/2013 09:08 AM, Jan Cholasta wrote:
> On 7.6.2013 14:54, Dmitri Pal wrote:
>> On 06/07/2013 08:26 AM, Martin Kosek wrote:
>>> On 06/07/2013 02:04 PM, Dmitri Pal wrote:
>>>> On 06/07/2013 03:47 AM, freeipa wrote:
>>>>> #3668: CA-less install fails when intermediate CA is used
>>>>> -------------------------------------+-------------------------------------
>>>>>
>>>>> Reporter: jcholast | Owner: jcholast
>>>>> Type: defect | Status: assigned
>>>>> Priority: major | Milestone: 2013
>>>>> Month 06 -
>>>>> Component: | June (3.2.x bug fixing)
>>>>> Installation | Version:
>>>>> Resolution: | Keywords:
>>>>> Blocked By: | Blocking:
>>>>> Tests Updated: 0 | Affects DOC: 0
>>>>> Patch posted for review: 0 | Red Hat Bugzilla:
>>>>> Source: | Effort Type:
>>>>> Targeted feature: | Design link:
>>>>> Design review: 0 | Fedora test page:
>>>>> Chosen: | Needs UI design:
>>>>> -------------------------------------+-------------------------------------
>>>>>
>>>>> Release Notes:
>>>>>
>>>>>
>>>>> -------------------------------------+-------------------------------------
>>>>>
>>>>> Changes (by mkosek):
>>>>>
>>>>> * rhbz: 0 =>
>>>>>
>>>>>
>>>>> Comment:
>>>>>
>>>>> We not support intermediate CAs for external CA install or CA-less
>>>>> install. Thus, this ticket cannot be easily solved extensive
>>>>> changes to
>>>>> the installer. Related to #3274 (Pilsner milestone).
>>>>>
>>>>> Moving back to triage to decide what to do about this ticket.
>>>>>
>>>> So you are saying that CA we chain to or get the certs from should
>>>> always be a root CA?
>>>> Why does it matter for our code whether the CA we deal with a Root
>>>> CA or
>>>> not?
>>> No, this is a case when a CA you pass for FreeIPA is not a direct
>>> "parent" of
>>> HTTP/DIRSRV certificates, i.e. there is an intermediate CA between
>>> the CA
>>> passed to IPA and the actual certs.
>>
>> My question is what prevents you to give IPA the certs from the direct
>> parent. What is the use case or real world scenario where the parent
>> certs are not available?
>> Just trying to wrap my head.
>>
>> I have CA 1 and CA 2. CA 2 is a sub CA of 1.
>> I have certs from CA 1
>> If I pass them to IPA but point to CA2 it would not work. OK
>> The example can be that CA1 is a public CA and CA2 is my CA. But what
>> prevents me from giving IPA the certs from CA2? Why would I try to give
>> IPA certs from CA1?
>>
>> Do I understand the scenario correctly?
>>
>
> Nothing is preventing you to give IPA certs from CA2, this works fine.
>
> The problem is that if you pass IPA certificates issued by CA2 and
> point it to CA1 at the same time, it does not work (despite having the
> complete trust chain).
>
> Honza
>
But why would you do so? What would be the reason and business case? Why
not to point to CA2?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list