Dmitri Pal wrote:
On 03/22/2013 08:10 AM, Petr Viktorin wrote:
The design page for CA-less installation with user-provided SSL certs
is available at I've also
copied it to this mail.

Does it answer all your questions?


It answers a lot of questions.
However isn't the whole goal to be able to use external CA we do not
have control of as a part of the trust chain?

I might very well confuse things so bear with me.

Say I have a public CA X I want to use as the root of my trust chain so
that I do not need to distribute certificates to all my clients.
I can't create a sub CA using externa-ca because it will cost me a lot
of money.

But I can create a PKI pair for just two servers (HTTP and DS) much
cheaper. Is this the assumption?
Is this really how this works? Is it really easy to get a CRS signed by
a public CA X?

Yes, it really can be that easy. Most of the requests in this area have involved using wildcard certs which are slightly more complex to get, but you can get free SSL server certs from StartSSL in less than 30 minutes (providing you can prove you manage the domain you're requesting certs for).

I imagine that most will use the same cert for both services, rather than getting separate certs.

Other comments: what are the implications on the certmonger and cert
rotation. I assume certmonger will be turn off. It should then be
documented that we will not track or warn about the cert expiration.

Right, we won't be able to leverage certmonger. Users will be on their own to handle renewal.

In future for the KDC pkinit support we will need yet another cert for
the KDC, you do nto need to implement it now but please consider this in
the design.

This is a grey area. I don't know if the public CAs will issue this kind of cert. A survey would be required to find out.


Freeipa-devel mailing list

Reply via email to