[Freeipa-users] how to chain CA certs
Fraser Tweedale
ftweedal at redhat.com
Mon Nov 2 05:40:59 UTC 2015
On Mon, Nov 02, 2015 at 01:29:48AM +0000, Sean Conley - US wrote:
> Hello,
>
> I am new to FreeIPA and am attempting to stand up my first
> operational instance. We do have a commercial wildcard
> certificate (*.internal.example.org) that should cover the IPA
> server itself (ipa.internal.example.org). I used the -external-CA
> option when running the setup and so a CSR was generated. Since
> we have a wildcard cert, I wasn't sure if I really need to submit
> the CSR to our PKI vendor. At the same time, it's not clear to me
> through searching documents how I would extend the CA chain. Do I
> need to submit that CSR or is there a way for me to do this on my
> own?
>
Welcome to FreeIPA :)
If you have a relationship with a Certificate Authority willing to
sign an intermediate CA certificate for you, then you can use the
--external-ca option, submit the generate CSR to your CA and once
you receive your signed CA certificate, continue ipa-server-install.
For a publicly-trusted intermediate CA cert, you are probably
looking at $10,000s or $100,000s in fees, infrastructure and
compliance costs to achieve this. Public CAs much prefer to keep
you coming back to them for publicly trusted certificates :)
If you already have some internal CA for your organisation, you can
use it to sign the CSR.
Otherwise, you can install FreeIPA with its own root CA (this is the
default).
HTH,
Fraser
> Any assistance is much appreciated.
>
> Sean
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list