Discussion:
[Freeipa-users] Signed cert/CA and updating certs?
Kat
2017-04-26 14:51:34 UTC
Permalink
Hi again,

Well, Let's Encrypt is working nicely with the httpd cert - but I am
wondering if there is a way to use Let's Encrypt or another signed cert
to replace the CA to be able to sign all the certs with it, or is the
only way to sign our certs with the built in CA? I guess, thinking
about it more, if I am signing certs based on LE's Cert, that might be a
bad thing from their standpoint...

Just thinking out loud and looking for some input.

Kat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Fraser Tweedale
2017-04-27 02:39:59 UTC
Permalink
Post by Kat
Hi again,
Well, Let's Encrypt is working nicely with the httpd cert - but I am
wondering if there is a way to use Let's Encrypt or another signed cert to
replace the CA to be able to sign all the certs with it, or is the only way
to sign our certs with the built in CA? I guess, thinking about it more, if
I am signing certs based on LE's Cert, that might be a bad thing from their
standpoint...
Just thinking out loud and looking for some input.
Kat
LE issues TLS server certificates and uses the ACME protocol for
automated domain validation and certificate issuance. For IPA,
there is no way (in general) that we can satisfy the DV challenges,
and LE issues certs in a single profile for a narrow use case.

So the general answer is: LE is not a suitable CA "backend" for IPA
cert issuance.

That said, there is some scope for acquisition of certs from LE for
IPA-enrolled TLS servers. We can manage it if IPA's DNS is publicly
exposed. But we have not implemented this and it is not a priority.

HTH. Let me know if you have further questions.

Cheers,
Fraser
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...