We can have the IPA server CA signed by our root CA.
Perform the IPA server installation using the –external-ca option. This will create the /root/ipa.csr signing request on the IPA server – copy this to the CA server for signing.
scp /root/ipa.csr caserver:/etc/pki/CA/intermediate/csr
Sign the IPA CA
We will sign the IPA request using the v3_intermediate_ca rules, but also using the policy_loose policy. The IPA CSR will not contain all mandatory fields for a root CA, so the loose policy we defined allows these to be optional.
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-policy policy_loose \
-in intermediate/csr/ipa.csr \
-out intermediate/certs/ipa.pem
Installing the certs into IPA
Transfer the signed certificate (intermediate/certs/ipa.pem) back to the IPA server, along with the root CA (certs/GatwardIT-CA2.pem), and continue the IPA installation using:
ipa-server-install --external-cert-file=/root/ipa.pem \
--external-cert-file=/root/GatwardIT-CA2.pem