[Freeipa-devel] Multiple CA certificates in LDAP, questions

John Dennis jdennis at redhat.com
Mon Sep 9 14:05:59 UTC 2013


On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote:
> On Mon, Sep 09, 2013 at 11:17:02AM +0200, Jan Cholasta wrote:
>> Should each IPA service (LDAP, HTTP, PKINIT) have its own
>> distinctive set of trusted CAs, or is using one set for everything
>> good enough? Using distinctive sets would allow granular control
>> over what CA is trusted for what service (e.g. trust CA1 to issue
>> certificates for LDAP and HTTP, but trust CA2 only to issue
>> certificates for HTTP), but I'm not sure how useful that would be in
>> the real world.
> 
> I'd expect it to depend heavily on whether or not you're chaining up to
> an external CA.  Personally, I'd very much want to keep a different set
> of trust anchors for PKINIT in that situation.

If you've got an external CA you still effectively have one trust anchor
that can be revoked because we create a sub-CA from the external CA. Or
perhaps I misunderstood what you were suggesting.


-- 
John




More information about the Freeipa-devel mailing list