[Freeipa-users] PKI signing certificate question

William Muriithi william.muriithi at gmail.com
Tue Aug 2 11:52:25 UTC 2016 

Mateusz



>> > There is "X.509 Name Constraints" extension for certificates, however
>> > external CA would have to make this extension as "critical" (which would
>> > probably cause compatibility issues with some software - "critical" means
>> > that if some app doesn't know how to handle this extension, it has to report
>> > error and do not proceed with establishing secure connection).
>>
>> The certificate with CA basic constraint would only have been used on
>> freeIPA, not on other servers. I believe freeIPA could handle such a
>> certificate.
>
> FreeIPA should be perfectly fine, the problem is with workstations. While
> (almost?) all software is capable of understanding CA basic constraint (as
> it was known and used for ages), limiting CA to single domain zone using
> X.509 Name Constraints can have some side effects (apps on user workstation
> have to validate all certificates up to root CA - if it happens that they
> don't understand name constraints, they will choke on IPA CA certificate if
> such extension is marked "critical"; I think that's the case with majority
> of Apple devices). I'm not aware of any CA that issues technically
> constrained sub-CAs and I think that according to latest guidelines, they
> are required to publicly disclose other sub-CAs issued (and such CAs have to
> undergo full WebTrust audit and have CPS just like regular CA).
>
Interesting, now I understand what you meant. Make a lot of sense.


>> > As I understand, --external-ca option should be used when you already
>> > have configured PKI infrastructure in your network (for example Active
>> > Directory Certificate Services) and spinning another internal CA is not a
>> > big deal. You've mentioned that there is already an Active Directory domain,
>> > (...)
>> >
>> Interesting. Active Directory certificate service would also be using self
>> signed certificate, correct?
>
> Correct. AD Certificate Service can generate its own self-signed root CA
> certificate, just like FreeIPA with internal CA does. As far as I know,
> depending on how you initialize AD CS, this certificate would be deployed to
> domain-joined machines automatically or you would have to push it through
> Group Policies.

Thanks, I understand the purpose of --external-ca flag now petty well


> --
> Best regards
> Mateusz Małek
Thanks a lot Mateusz.  Really appreciate your great response.  I now
do feel I have all the info I was looking for when I started this
thread.

Regards,

William

More information about the Freeipa-users mailing list