Using FreeIPA SubCAs
by Juan Antonio Osorio Robles
Using lightweight CAs in FreeIPA is quite straight forward.
With an existing FreeIPA installation, you can add a sub CA with the following command:
It will ask you to name the sub CA, and specify the Common Name and will give an output such as the following:
The Common Name you specify is what you’ll see in the “issuer” section of the certificates you request with this sub CA. The name is a nickname of your choice, which in this case, I used mysubca.
If you try to request certificates with just this, you’ll get an error saying you don’t have sufficient privileges. To address this, we need to set the relevant ACL for the CA.
you can see what ACLs are currently available with the following command:
The output will look like this:
To add the ACL for enabling service certificates for the new sub CA we do:
Note that to specify the CA that you’re adding the ACL to, you need to use the nickname of the sub CA.
Finally, you can request certificates from your sub CA. to do so, you need to do: