Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1399190
Description of problem: When you have your IdM PKI CA certificate signed by an external CA, the IdM CA certificate contains the full certificate chain. To verify the full chain, only the Root CA certificate is required. When you now request a new service certificate from the IdM CA, it only contains the actual service certificate and not the full chain. The IPA CA certificate has to be used as a trust anchor to verify the new service certificate. People now need to have the Root CA *and* the IPA CA certificate in their trust store to verify the chain. We should either include the full trust chain into certificates issued by the IPA CA by default or provide a config option for this so that IPA admins can decide on their own if they wanna trust the upstream CA for all sort of certificates. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Is this anyhow related to #6178?
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @jcholast: - Issue assigned to jcholast (was: someone)
master:
Metadata Update from @dkupka: - Issue close_status updated to: None
Metadata Update from @dkupka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.