[Freeipa-devel] Multiple CA certificates in LDAP, questions
Jan Cholasta
jcholast at redhat.com
Mon Sep 9 14:21:39 UTC 2013
On 9.9.2013 16:05, John Dennis wrote:
> On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote:
>> On Mon, Sep 09, 2013 at 11:17:02AM +0200, Jan Cholasta wrote:
>>> Should each IPA service (LDAP, HTTP, PKINIT) have its own
>>> distinctive set of trusted CAs, or is using one set for everything
>>> good enough? Using distinctive sets would allow granular control
>>> over what CA is trusted for what service (e.g. trust CA1 to issue
>>> certificates for LDAP and HTTP, but trust CA2 only to issue
>>> certificates for HTTP), but I'm not sure how useful that would be in
>>> the real world.
>>
>> I'd expect it to depend heavily on whether or not you're chaining up to
>> an external CA. Personally, I'd very much want to keep a different set
>> of trust anchors for PKINIT in that situation.
>
> If you've got an external CA you still effectively have one trust anchor
> that can be revoked because we create a sub-CA from the external CA. Or
> perhaps I misunderstood what you were suggesting.
>
Don't forget about CA-less, you can theoretically have more than one
trust anchor in that case.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list