[Freeipa-users] PKI signing certificate question

Mateusz Małek mmalek at iisg.agh.edu.pl
Mon Aug 1 21:20:33 UTC 2016 

William,

On 29.07.2016 at 22:27, William Muriithi wrote:

 > Is anyone here been successful in getting external CA to sign this 
kind of certificate?  I have just tried to convince DigiCert for 2 days 
that there is no harm issuing this kind of certificate as long us it's 
restricted to one domain without success.
 >
 > Which external CA would be more open to signing this kind of certificate?

I'm afraid that there is not a single external CA that would sign 
request for CA certificate. They need to make sure that certificate 
would not be used for fraudulent purposes (for e.g. Man-in-the-Middle 
attacks) which usually means that they keep control of all subordinate 
CAs they create (you can only place requests for client or server 
certificates - but domain ownership validation and certificate issuance 
takes place in their infrastructure) or they verified that you securely 
store your private key in dedicated HSM and have adequate policies and 
rules regarding certificate issuance.

There is "X.509 Name Constraints" extension for certificates, however 
external CA would have to make this extension as "critical" (which would 
probably cause compatibility issues with some software - "critical" 
means that if some app doesn't know how to handle this extension, it has 
to report error and do not proceed with establishing secure connection). 
Also, if they decide to sell such CA certificate, it would probably be 
much more expensive than "simple" one (as this would allow you to issue 
further certificates for your domain without paying external CAs for them).

You can either go CA-less and buy certificates for all your services or 
use free certificates from Let's Encrypt (if you want to want your 
certificates to validate "nicely" on users own devices) or use internal 
CA and install its root certificate on all hosts using your IPA server. 
As I understand, --external-ca option should be used when you already 
have configured PKI infrastructure in your network (for example Active 
Directory Certificate Services) and spinning another internal CA is not 
a big deal. You've mentioned that there is already an Active Directory 
domain, so the last options seems the easiest one - internal CA root 
certificate can be deployed to Windows workstation using AD and IPA 
configured with external CA would automatically deploy internal root CA 
to Linux workstations on during ipa-client-install.

-- 
Best regards
Mateusz Małek

Network and Computer Systems Administrator
Intelligent Information Systems Group
Department of Computer Science
AGH University of Science and Technology

More information about the Freeipa-users mailing list