[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used
Rob Crittenden
rcritten at redhat.com
Fri Jun 14 19:43:26 UTC 2013
Rob Crittenden wrote:
> Jan Pazdziora wrote:
>> On Fri, Jun 07, 2013 at 09:23:48AM -0400, Dmitri Pal wrote:
>>>>
>>>> The problem is that if you pass IPA certificates issued by CA2 and
>>>> point it to CA1 at the same time, it does not work (despite having the
>>>> complete trust chain).
>>>
>>> But why would you do so? What would be the reason and business case? Why
>>> not to point to CA2?
>>
>> Could the business case be an IPA server in DMZ which does not have
>> access to CA2 but it can get to (public) CA1?
>>
>
> A client does need to be able to contact a CA in order to trust it.
Of course I meant that a client does NOT need to contact a CA. It just
needs the CA cert.
rob
More information about the Freeipa-devel
mailing list