On Mon, Oct 09, 2017 at 02:29:09PM +0200, Gabriel Stein via FreeIPA-users wrote:
> Hi all,
> I was discussing a issue with @ftweedal and I will continue doing some
> questions here.
> I have installed Freeipa with an additional Replica Server, but to me some
> concepts are not so clear.
> Let' talk about my setup:
> Goal: Replace Active Directory Auth on DMZ Network.
> Provide SSL Certs for Servers/Services
> If possible, Management for MIME/S Certificates(Mail Signing)
> Servers(Total: 3 VMs)
> ipa1/ipa2: Freeipa Server and Replica
> pki1: Datadog installation(external CA for ipa1/ipa2).
> I know, Freeipa includes Datadog(and that makes the certificates management
> possible), but I needed a Datadog Service to create the external CA for
> Now I have some questions:
> - Was Datadog Installation "too much"? Probably was better just create a CA
> manually with openSSL and import it on ipa1/ipa2?
> - Should I use Freeipa as the sub-CA for all Servers/Services and leave
> Datadog as a main CA? Do I have an advantage using this setup?
(Copy of my answer from
Should you use the FreeIPA CA or Dogtag? It is better to think about
it this way: what does Dogtag offer that FreeIPA does not? Right
now, the answer mostly boils down to: HSM, token processing, and
more control over issuance workflow (e.g. request queues, agent
roles, ability to issue certs to abitrary subject rather than only
known principals in the FreeIPA DB, etc).
If you only want to issue certs to services/hosts/users recorded in
FreeIPA, and you do not need HSM, then the FreeIPA CA will meet your
Yes, you can issue S/MIME certificates with FreeIPA - you just need
to create a custom profile to set the appropriate Extended Key Usage
> Thanks in Advance!
> Best Regards,
> Gabriel Stein
> FreeIPA-users mailing list -- email@example.com
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org