[Freeipa-devel] Multiple CA certificates in LDAP, questions
Nalin Dahyabhai
nalin at redhat.com
Mon Sep 9 14:02:21 UTC 2013
On Mon, Sep 09, 2013 at 11:17:02AM +0200, Jan Cholasta wrote:
> Should each IPA service (LDAP, HTTP, PKINIT) have its own
> distinctive set of trusted CAs, or is using one set for everything
> good enough? Using distinctive sets would allow granular control
> over what CA is trusted for what service (e.g. trust CA1 to issue
> certificates for LDAP and HTTP, but trust CA2 only to issue
> certificates for HTTP), but I'm not sure how useful that would be in
> the real world.
I'd expect it to depend heavily on whether or not you're chaining up to
an external CA. Personally, I'd very much want to keep a different set
of trust anchors for PKINIT in that situation.
HTH,
Nalin
More information about the Freeipa-devel
mailing list