FreeIPA can be installed with an external root CA and a local intermediate CA in Dogtag PKI. ipa-client-install installs both the root CA's certificate and IPA CA's intermediate cert as trust anchors. It is not necessary to install an intermediate cert as trust anchor. This causes some issues, e.g. Firefox does no longer show the root CA in cert viewer and terminates cert verification at the intermediate cert.
The intermediate cert is installed in
Metadata Update from @cheimes:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
to comment on this ticket.