On 02/12/2012 04:00 PM, Marco Pizzoli wrote:
Hi,
I see DogTag PKI used as a certificate server for the enrollment of hosts and services. What about the enrollment of normal X509v3 certificates? I have not seen, correct me if I'm wrong, any reference to the possibility to use it as a regular CA for user certificates. Not within FreeIPA, of course.


Is there any drawback in using it as the primary CA for the company?

It is a full CA. You can use it as such. Dogtag is a vibrant project in its own right, and you can find developers on #dogtag-pki in Freenode. The install is done via pkisilent, and you might want to make sure that you understand the parameters used to call it.

One major drawback is that IPA has disabled Nonces in the Dogtag backend. These are there to defend against a CSRF attack. What this means is that you should not expose the Dogtag WebUI through the IPA server, either on its Dogtag port or via HTTP proxy. It should be explicitly stated that IPA implements Nonces for its web UI, and does not allow session based calls through to the Dogtag back end, so its configuration is secure. The problem is only exposed if you expose additional web URLs to the Dogtag backend beyond those specified in the PKI Proxy.

Enabling nonces will break IPA.

I've installed and used the standard Java tools for Dogtag and used them to talk to the PKI backend installed by IPA. They work fine.

Currently, IPA acts as a single Agent in Dogtag. This should be fine. For other certificate usage, you should probably use a different agent. IPA does not currently support user certificates. However, there are standard LDAP object classes and attributes that you could conceivably use to record them if you wanted to keep them in a single DirSrv. Obviosuly, you do not want to put the private keys on the IPA server, so plan accordingly.

Red Hat does not support using the Certificate Server (PKI) backend with its Identity management install for purposes other than support for the IdM (IPA) front end, so beware that you have no "up sell" if you desire to get paid support for IPA.









Thanks a lot again!
Marco




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to