On 09/02/2011 12:46 PM, Andrew Wnuk wrote:
On 09/02/2011 06:05 AM, Rob Crittenden wrote:
The rhev-m team is trying to integrate IPA into their installs. They
currently use SSL as well and we're battling over the Apache
certificate (there can be only one).
One option that came up is if they install IPA first if we can issue
them a subordinate CA then they can do their own thing without
changing too much of their code.
I know dogtag can do this but I have no doubt that it currently
requires human intervention. Is it possible to write a profile to
have the IPA RA issue a subordinate CA cert automatically (as
dangerous as that is)?
rob
Although we agree that this practice should be avoided, Dogtag can be
configured to issue subordinate CA certificates automatically.
However, certificate request parametrization may need to be provided
if we want to issue different certificates for services and sub-CAs.
This assumes IPA has the ability to authenticate and authorize rhev-m
sub-CA requests properly, and that rhev-m sub-CA functionality is well
reviewed so nobody will question certificates issued by rhev-m sub-CAs.
Thank you,
Andrew
Does this even make sense? Wouldn't we want to have RHEV-M and IPA use
the same CA?Do they really need their own? I can't see that you would
take an existing CA and later make it a subordinate to a Dogtag CA, so
really they can use the Dogtrag instance from IPA, and not try to manage
the CA themselves, OR manage it themselves completely. I'm guessing
that, like most of the projects that do some aspect of CA-stuff, they
have an incomplete solution, probably along the lines of IPA's
self-signed certs.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
