[Freeipa-users] PKI signing certificate question
Mateusz Małek
mmalek at iisg.agh.edu.pl
Mon Aug 1 21:20:33 UTC 2016
William,
On 29.07.2016 at 22:27, William Muriithi wrote:
> Is anyone here been successful in getting external CA to sign this
kind of certificate? I have just tried to convince DigiCert for 2 days
that there is no harm issuing this kind of certificate as long us it's
restricted to one domain without success.
>
> Which external CA would be more open to signing this kind of certificate?
I'm afraid that there is not a single external CA that would sign
request for CA certificate. They need to make sure that certificate
would not be used for fraudulent purposes (for e.g. Man-in-the-Middle
attacks) which usually means that they keep control of all subordinate
CAs they create (you can only place requests for client or server
certificates - but domain ownership validation and certificate issuance
takes place in their infrastructure) or they verified that you securely
store your private key in dedicated HSM and have adequate policies and
rules regarding certificate issuance.
There is "X.509 Name Constraints" extension for certificates, however
external CA would have to make this extension as "critical" (which would
probably cause compatibility issues with some software - "critical"
means that if some app doesn't know how to handle this extension, it has
to report error and do not proceed with establishing secure connection).
Also, if they decide to sell such CA certificate, it would probably be
much more expensive than "simple" one (as this would allow you to issue
further certificates for your domain without paying external CAs for them).
You can either go CA-less and buy certificates for all your services or
use free certificates from Let's Encrypt (if you want to want your
certificates to validate "nicely" on users own devices) or use internal
CA and install its root certificate on all hosts using your IPA server.
As I understand, --external-ca option should be used when you already
have configured PKI infrastructure in your network (for example Active
Directory Certificate Services) and spinning another internal CA is not
a big deal. You've mentioned that there is already an Active Directory
domain, so the last options seems the easiest one - internal CA root
certificate can be deployed to Windows workstation using AD and IPA
configured with external CA would automatically deploy internal root CA
to Linux workstations on during ipa-client-install.
--
Best regards
Mateusz Małek
Network and Computer Systems Administrator
Intelligent Information Systems Group
Department of Computer Science
AGH University of Science and Technology
More information about the Freeipa-users
mailing list