<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 02/06/2015 10:38 AM, Natxo Asenjo
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAHBEJzWC+bX-do0ENEjxuDhP=-XJ_QYO1Fx+XvSRE_N0Ad62HQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">On Fri, Feb 6, 2015 at 3:30 PM,
            Martin Kosek <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex"><span class="">On
                02/06/2015 12:53 AM, Christopher Young wrote:<br>
                > Obvious next question:  Any plans to implement that
                functionality or advice<br>
                > on how one might get some level of functionality
                for this?  Would it be<br>
                > possible to create another command-line based
                openssl CA that could issue<br>
                > these but using IPA as the root CA for those?<br>
                <br>
              </span>As for FreeIPA plans, we plan to vastly improve our
              flexibility to process<br>
              certificates in next upstream version - FreeIPA 4.2. In
              next version, one<br>
              should be able to create other certificate profiles (from
              FreeIPA default<br>
              service cert profile) or even subCAs to do what you want.<br>
              <br>
            </blockquote>
            <div><br>
              nice. When do all these things land in RHEL? <br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    It we manage to land 4.2 in RHEL 7.2 then it will be there.<br>
    Time will show how successful we will be with this plan so no
    promises so far.<br>
    <br>
    <blockquote
cite="mid:CAHBEJzWC+bX-do0ENEjxuDhP=-XJ_QYO1Fx+XvSRE_N0Ad62HQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              As for current workarounds, you would have to issue and
              sign a for example NSS<br>
              or openssl based subCA and then sign user certs there. But
              I would leave Fraser<br>
              or Jan to tell if this would be really possible.</blockquote>
          </div>
          <br>
        </div>
        <div class="gmail_extra">some examples on how to do that would
          be very helpful. I would love to authenticate users to mysql
          using our CA, for instance.<br>
          <br>
        </div>
        <div class="gmail_extra">-- <br>
        </div>
        <div class="gmail_extra">regards,<br>
          natxo<br>
        </div>
        <div class="gmail_extra"><br>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>