[Freeipa-users] Signed cert/CA and updating certs?
Fraser Tweedale
ftweedal at redhat.com
Thu Apr 27 02:39:59 UTC 2017
On Wed, Apr 26, 2017 at 09:51:34AM -0500, Kat wrote:
> Hi again,
>
> Well, Let's Encrypt is working nicely with the httpd cert - but I am
> wondering if there is a way to use Let's Encrypt or another signed cert to
> replace the CA to be able to sign all the certs with it, or is the only way
> to sign our certs with the built in CA? I guess, thinking about it more, if
> I am signing certs based on LE's Cert, that might be a bad thing from their
> standpoint...
>
> Just thinking out loud and looking for some input.
>
> Kat
>
LE issues TLS server certificates and uses the ACME protocol for
automated domain validation and certificate issuance. For IPA,
there is no way (in general) that we can satisfy the DV challenges,
and LE issues certs in a single profile for a narrow use case.
So the general answer is: LE is not a suitable CA "backend" for IPA
cert issuance.
That said, there is some scope for acquisition of certs from LE for
IPA-enrolled TLS servers. We can manage it if IPA's DNS is publicly
exposed. But we have not implemented this and it is not a priority.
HTH. Let me know if you have further questions.
Cheers,
Fraser
More information about the Freeipa-users
mailing list