[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used

Dmitri Pal dpal at redhat.com
Fri Jun 7 12:04:17 UTC 2013 

On 06/07/2013 03:47 AM, freeipa wrote:
> #3668: CA-less install fails when intermediate CA is used
> -------------------------------------+-------------------------------------
>                Reporter:  jcholast   |             Owner:  jcholast
>                    Type:  defect     |            Status:  assigned
>                Priority:  major      |         Milestone:  2013 Month 06 -
>               Component:             |  June (3.2.x bug fixing)
>   Installation                       |           Version:
>              Resolution:             |          Keywords:
>              Blocked By:             |          Blocking:
>           Tests Updated:  0          |       Affects DOC:  0
> Patch posted for review:  0          |  Red Hat Bugzilla:
>                  Source:             |       Effort Type:
>        Targeted feature:             |       Design link:
>           Design review:  0          |  Fedora test page:
>                  Chosen:             |   Needs UI design:
> -------------------------------------+-------------------------------------
> Release Notes:
>
>
> -------------------------------------+-------------------------------------
> Changes (by mkosek):
>
>  * rhbz:  0 =>
>
>
> Comment:
>
>  We not support intermediate CAs for external CA install or CA-less
>  install. Thus, this ticket cannot be easily solved extensive changes to
>  the installer. Related to #3274 (Pilsner milestone).
>
>  Moving back to triage to decide what to do about this ticket.
>
So you are saying that CA we chain to or get the certs from should
always be a root CA?
Why does it matter for our code whether the CA we deal with a Root CA or
not?

If we are trying to say that we do not follow the chains of trust I can
understand that. So the limitation is that we should always be given the
certs from the same CA we chain to and not its sub CA's, right? That
makes sense.

Can someone describe a use case where in real life the certs would come
from one CA in the chain but we would be told to chain or use a sub CA
of that CA. That seems strange. What am I missing?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list