On Sat, Jul 18, 2020 at 12:45:03AM +0000, Vinícius Ferrão via FreeIPA-users wrote: > Hello, > > I need to issue some certificates for the AD Environment and I > don’t have ADCS in place. So my FreeIPA deployment was with a self > signed CA and the common AD Trust enabled. > > Now with this issue I’m looking on the IPA’s documentation and > there’s some recommendations to deploy IPA as as subCA from ADCS, > but as as I said, I don’t have it. So I was thinking if it’s > possible to issue certificates for Windows machines directly form > FreeIPA, and if this is recommended or not. > > If it’s possible but it will be a hassle, there’s a way to make > FreeIPA talk with ADCS after the deployment? I can setup an ADCS > instance to keep Windows certificates in a separate location. > > I saw this post: > https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-integration-ipa-certs.html > but I don’t think it’s the same issue here; the valuable info that > I found on this site is about trusting the FreeIPA CA certificate > on Windows environment: "Operationally there is one additional > step when the IPA CA is not subordinate to the AD CA: the IPA CA > certificate has to be explicitly trusted.”; but the use case does > not seems to be on a Windows system. > > Thanks for any guidance. > Hi Vinícius,
FreeIPA does not support the enrolment protocols used by Windows systems. You might ahve an easier time using AD-CS. If you decide to use AD-CS you have three options on how to relate the PKIs: a) Have AD-CS as a separate PKI. You will need to add the AD-CS CA cert to IPA's trust store and vice-versa. b) Re-chain the IPA CA to become a subordinate of the AD-CS CA. c) Make AD-CS a subordinate of the IPA CA. See [1] for how to issue subordinate CA certs from FreeIPA. [1] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html If you decide to continue without AD-CS, we can help with issuance (the profile configuration, CA ACLs, etc) but I have no idea about the procedure on the Windows side (creating the CSR, installing the certificate, etc). Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
