[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used
Rob Crittenden
rcritten at redhat.com
Thu Jun 13 02:34:54 UTC 2013
Jan Pazdziora wrote:
> On Fri, Jun 07, 2013 at 09:23:48AM -0400, Dmitri Pal wrote:
>>>
>>> The problem is that if you pass IPA certificates issued by CA2 and
>>> point it to CA1 at the same time, it does not work (despite having the
>>> complete trust chain).
>>
>> But why would you do so? What would be the reason and business case? Why
>> not to point to CA2?
>
> Could the business case be an IPA server in DMZ which does not have
> access to CA2 but it can get to (public) CA1?
>
A client does need to be able to contact a CA in order to trust it.
rob
More information about the Freeipa-devel
mailing list