IdM now supports sub-CAs
Previously, Identity Management (IdM) only supported one certificate authority (CA) that was used to sign all certificates issued within the IdM domain. Now, you can use lightweight sub-CAs for better control over the purpose for which a certificate can be used. For example, a Virtual Private Network (VPN) server can be configured to only accept certificates issued by a sub-CA created for that purpose, rejecting certificates issued by other sub-CAs, such as a smart card CA.
To support this functionality, you can now specify an IdM lightweight sub-CA when requesting a certificate with certmonger.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#lightweight-sub-cas
This bug is created as a clone of upstream ticket:
Certmonger needs a way to specify an IPA lightweight CA name when
requesting a certificate. It is the Certmonger side of
Design page: http://www.freeipa.org/page/V4/Sub-CAs#Certmonger
Marking as FailedQA as found following bug - BZ1367683
Verified using IPA and Certmonger version::
Marking BZ as verified.
Created attachment 1202712 [details]
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.