Bug 1200731 - [RFE] Support lightweight sub-CAs
Summary: [RFE] Support lightweight sub-CAs
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
Depends On: 1345755
Blocks: 1351258
TreeView+ depends on / blocked
Reported: 2015-03-11 09:59 UTC by Martin Kosek
Modified: 2016-11-04 05:44 UTC (History)
8 users (show)

Fixed In Version: ipa-4.4.0-1.el7
Doc Type: Release Note
Doc Text:
IdM now supports sub-CAs Previously, Identity Management (IdM) only supported one certificate authority (CA) that was used to sign all certificates issued within the IdM domain. Now, you can use lightweight sub-CAs for better control over the purpose for which a certificate can be used. For example, a Virtual Private Network (VPN) server can be configured to only accept certificates issued by a sub-CA created for that purpose, rejecting certificates issued by other sub-CAs, such as a smart card CA. To support this functionality, you can now specify an IdM lightweight sub-CA when requesting a certificate with certmonger. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#lightweight-sub-cas
Clone Of:
: 1351258 (view as bug list)
Last Closed: 2016-11-04 05:44:48 UTC
Target Upstream Version:

Attachments (Terms of Use)
tkt_4559.log (8.03 KB, text/plain)
2016-08-19 11:24 UTC, Abhijeet Kasurde
no flags Details
tkt_5999.log (2.11 KB, text/plain)
2016-08-19 11:54 UTC, Abhijeet Kasurde
no flags Details
tkt_5963.log (6.73 KB, text/plain)
2016-08-19 12:17 UTC, Abhijeet Kasurde
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Martin Kosek 2015-03-11 09:59:11 UTC
This bug is created as a clone of upstream ticket:

In RHEL 7.1, all certificates issued by IPA are interchangeably reusable in different environments, i.e. a certificate issued for mobile device can be used for VPN and vice versa. 

To scope certificates to a specific use without requiring additional access control knobs on behalf of the application that uses the certs, the profiles can be associated with a subCA. 

It should be possible to associate different profiles with different CAs so it should be a many to may relationship.

Comment 2 Martin Kosek 2015-07-07 10:08:36 UTC
FreeIPA upstream project postponed the release to later release:


Comment 8 Petr Vobornik 2016-06-22 16:28:57 UTC
Upstream ticket:

Comment 12 Petr Vobornik 2016-06-29 11:05:37 UTC
Upstream ticket:

Comment 16 Petr Vobornik 2016-07-01 13:49:33 UTC
The core of the feature is finished. Moving to modified.

There might be regression or minor parts missing. They should be tracked in separate bugzillas.

Comment 21 Abhijeet Kasurde 2016-08-19 11:02:40 UTC
Observed BZ1368424

Comment 22 Abhijeet Kasurde 2016-08-19 11:24:25 UTC
Created attachment 1192114 [details]

Comment 23 Abhijeet Kasurde 2016-08-19 11:54:55 UTC
Created attachment 1192118 [details]

Comment 24 Abhijeet Kasurde 2016-08-19 12:17:54 UTC
Created attachment 1192121 [details]

Comment 25 Abhijeet Kasurde 2016-08-19 12:19:05 UTC
Verified using IPA version ::

Marking RFE BZ as verified. Please see attached logs for console log.

Comment 27 errata-xmlrpc 2016-11-04 05:44:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.