[Freeipa-users] Status on Sub-CAs for FreeIPA v4.2

[Alexander Bokovoy]

On Mon, 01 Jun 2015, Thibaut Pouzet wrote:
>Hi,
>
>I am currently trying to use FreeIPA to issue client certificates for
>some internal application we have. (More precisely, SSL double
>authentication between two of my applications, client side would be
>java, server-side would be apache httpd.) I considered two options :
>
>1. Issue client certificates directly from FreeIPA : It do not seems
>that it's currently "supported". I can actually generate a client
>certificate by creating a new principal for a host, and use ipa-getcert
>to generate a certificate for it. However, this certificate is valid for
>both user and server authentication, and I cannot change it.
>Furthermore, I cannot change the CN of the certificate, it is the
>server's hostname for which the pincipal has been generated. That's a
>poor solution.
>
>
>2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to
>do whatever I want to do. I tried to use the dogtag profiles with the
>ipa-getcert -T option, but the profiles were ignored when I tried to use
>them. And I always got 'regular' certificates.
>
>I did some research, and found this RFE :
>http://www.freeipa.org/page/V4/Sub-CAs
>
>And this Sub-CA notions seems to be perfect for what I want to do. When
>I'm looking at the ticket, it seems that it is quietly sleeping
>somewhere, remaining not updated.
>
>I would love to see this feature in FreeIPA v4.2, has anyone a status on
>this RFE and it's current status ?
Design page is there, the work happens on freeipa-devel at . There are
multiple patches in the review process right now. If you are willing to
help with testing them, welcome to the development list.

-- 
/ Alexander Bokovoy