<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/06/2015 10:38 AM, Natxo Asenjo
wrote:<br>
</div>
<blockquote
cite="mid:CAHBEJzWC+bX-do0ENEjxuDhP=-XJ_QYO1Fx+XvSRE_N0Ad62HQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Fri, Feb 6, 2015 at 3:30 PM,
Martin Kosek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"><span class="">On
02/06/2015 12:53 AM, Christopher Young wrote:<br>
> Obvious next question: Any plans to implement that
functionality or advice<br>
> on how one might get some level of functionality
for this? Would it be<br>
> possible to create another command-line based
openssl CA that could issue<br>
> these but using IPA as the root CA for those?<br>
<br>
</span>As for FreeIPA plans, we plan to vastly improve our
flexibility to process<br>
certificates in next upstream version - FreeIPA 4.2. In
next version, one<br>
should be able to create other certificate profiles (from
FreeIPA default<br>
service cert profile) or even subCAs to do what you want.<br>
<br>
</blockquote>
<div><br>
nice. When do all these things land in RHEL? <br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
It we manage to land 4.2 in RHEL 7.2 then it will be there.<br>
Time will show how successful we will be with this plan so no
promises so far.<br>
<br>
<blockquote
cite="mid:CAHBEJzWC+bX-do0ENEjxuDhP=-XJ_QYO1Fx+XvSRE_N0Ad62HQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
As for current workarounds, you would have to issue and
sign a for example NSS<br>
or openssl based subCA and then sign user certs there. But
I would leave Fraser<br>
or Jan to tell if this would be really possible.</blockquote>
</div>
<br>
</div>
<div class="gmail_extra">some examples on how to do that would
be very helpful. I would love to authenticate users to mysql
using our CA, for instance.<br>
<br>
</div>
<div class="gmail_extra">-- <br>
</div>
<div class="gmail_extra">regards,<br>
natxo<br>
</div>
<div class="gmail_extra"><br>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>