On Wed, Feb 05, 2020 at 06:19:16PM -0000, Jakob Ackermann via FreeIPA-users wrote: > this is exactly what I tried before and the puppet agent complaint > that it could not find the CA his certificate was signed with. > This is a limitation in puppet. > OK, thanks for clarifying.
> Rob's answer worked for me around the puppet limitation. Any > reason why I would not want add the sub-ca certificate into the > manage certs? > If the sub-CA cert gets renewed it will not automatically be updated in the trust store. If you revoke the sub-CA cert but clients explicitly trust it, the clients may not check revocation status of the sub-CA. Other than those points, there is no harm in doing it since the trust is transitive anyway. Cheers, Fraser > Thanks so much. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
