lejeczek via FreeIPA-users wrote: > Hi guys > > I'm for the first time contemplating CA service from a public CA to > subordinate IPA to it - would it make sense with a *.sub.domain cert, if > such one cert one already has from that public CA, to still want to sub > IPA's CA? > > (not a CA expert so go easy on me)
I'm not quite sure I understand the question. I think what you're asking is: I have a wildcard cert from a public CA. Is that sufficient or should I get my IPA CA signed by the public CA? For the first question, maybe. You can replace the IPA web and LDAP certificates with the one from the public CA but it requires manual intervention at renewal and the more you share that key around the less secure it is in general. For the second question, I seriously doubt a public CA will sign an IPA CA because of policies. And if they did you'd need a small fortune to do it. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
