> I'm surprised LE issued a cert at all. It doesn't issue CA subordinate > certificates. You are not likely to find a public CA that will issue you > a subordinate CA without lots of $$$ and a ton of work due to > transparency requirements.
So standard practice using FIPA would be to create our own chain within that environment and anything that needs outside communication would get signed by LE as a leaf node. Is that true? I hate to ask basic questions, but I haven't been able to find any standard practice documentation so my process is to make assumptions and press buttons. > What is the ultimate goal for using an external CA? So that clients will > already trust the issued certificates without requiring distributing the > chain? > > You can provide your own certificates for HTTP and LDAP, from LE or > elsewhere, either during the installation process or after the > installation is done. See the ipa-server-install and > ipa-server-certinstall man pages. > > rob Yes. This exactly, but I may be approaching this from the wrong angle as you explain in the second paragraph, but I didn't know what other perspectives there were. When banging one's head on the desk it feels good to finally stop. Thank you. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
