[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used
Jan Cholasta
jcholast at redhat.com
Mon Jun 10 09:29:01 UTC 2013
On 7.6.2013 15:23, Dmitri Pal wrote:
> On 06/07/2013 09:08 AM, Jan Cholasta wrote:
>> On 7.6.2013 14:54, Dmitri Pal wrote:
>>> On 06/07/2013 08:26 AM, Martin Kosek wrote:
>>>> On 06/07/2013 02:04 PM, Dmitri Pal wrote:
>>>>> On 06/07/2013 03:47 AM, freeipa wrote:
>>>>>> #3668: CA-less install fails when intermediate CA is used
>>>>>> -------------------------------------+-------------------------------------
>>>>>>
>>>>>> Reporter: jcholast | Owner: jcholast
>>>>>> Type: defect | Status: assigned
>>>>>> Priority: major | Milestone: 2013
>>>>>> Month 06 -
>>>>>> Component: | June (3.2.x bug fixing)
>>>>>> Installation | Version:
>>>>>> Resolution: | Keywords:
>>>>>> Blocked By: | Blocking:
>>>>>> Tests Updated: 0 | Affects DOC: 0
>>>>>> Patch posted for review: 0 | Red Hat Bugzilla:
>>>>>> Source: | Effort Type:
>>>>>> Targeted feature: | Design link:
>>>>>> Design review: 0 | Fedora test page:
>>>>>> Chosen: | Needs UI design:
>>>>>> -------------------------------------+-------------------------------------
>>>>>>
>>>>>> Release Notes:
>>>>>>
>>>>>>
>>>>>> -------------------------------------+-------------------------------------
>>>>>>
>>>>>> Changes (by mkosek):
>>>>>>
>>>>>> * rhbz: 0 =>
>>>>>>
>>>>>>
>>>>>> Comment:
>>>>>>
>>>>>> We not support intermediate CAs for external CA install or CA-less
>>>>>> install. Thus, this ticket cannot be easily solved extensive
>>>>>> changes to
>>>>>> the installer. Related to #3274 (Pilsner milestone).
>>>>>>
>>>>>> Moving back to triage to decide what to do about this ticket.
>>>>>>
>>>>> So you are saying that CA we chain to or get the certs from should
>>>>> always be a root CA?
>>>>> Why does it matter for our code whether the CA we deal with a Root
>>>>> CA or
>>>>> not?
>>>> No, this is a case when a CA you pass for FreeIPA is not a direct
>>>> "parent" of
>>>> HTTP/DIRSRV certificates, i.e. there is an intermediate CA between
>>>> the CA
>>>> passed to IPA and the actual certs.
>>>
>>> My question is what prevents you to give IPA the certs from the direct
>>> parent. What is the use case or real world scenario where the parent
>>> certs are not available?
>>> Just trying to wrap my head.
>>>
>>> I have CA 1 and CA 2. CA 2 is a sub CA of 1.
>>> I have certs from CA 1
>>> If I pass them to IPA but point to CA2 it would not work. OK
>>> The example can be that CA1 is a public CA and CA2 is my CA. But what
>>> prevents me from giving IPA the certs from CA2? Why would I try to give
>>> IPA certs from CA1?
>>>
>>> Do I understand the scenario correctly?
>>>
>>
>> Nothing is preventing you to give IPA certs from CA2, this works fine.
>>
>> The problem is that if you pass IPA certificates issued by CA2 and
>> point it to CA1 at the same time, it does not work (despite having the
>> complete trust chain).
>>
>> Honza
>>
>
> But why would you do so? What would be the reason and business case? Why
> not to point to CA2?
>
I'm not sure, but this is apparently why --root-ca-cert was added to
ipa-server-install. If the CA that issued the server certificates should
always be used as root CA in IPA, then --root-ca-cert is redundant.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list