Hi folks, Instead of a self-signed certificate I would like to use an external CA to sign freeipa's CSR ("ipa-server-install --external-ca"). Question: Is pathlen:0, e.g. basicConstraints=critical,CA:TRUE, pathlen:0 sufficient for freeipa's CA certificate? Regards Harri