Hi Adam,

On Mon, Feb 13, 2012 at 5:58 PM, Adam Young <ayo...@redhat.com> wrote:

>  On 02/12/2012 04:00 PM, Marco Pizzoli wrote:
> Hi,
> I see DogTag PKI used as a certificate server for the enrollment of hosts
> and services.
> What about the enrollment of normal X509v3 certificates? I have not seen,
> correct me if I'm wrong, any reference to the possibility to use it as a
> regular CA for user certificates. Not within FreeIPA, of course.
> Is there any drawback in using it as the primary CA for the company?
> It is a full CA.  You can use it as such.  Dogtag is a vibrant project in
> its own right,  and you can find developers on #dogtag-pki in Freenode.
> The install is done via pkisilent,  and you might want to make sure that
> you understand the parameters used to call it.

I will. Thanks for the pointer.

> One major drawback is that IPA has disabled Nonces in the Dogtag backend.
> These are there to defend against a CSRF attack.  What this means is that
> you should not expose the Dogtag WebUI through the IPA server,  either on
> its Dogtag port or via HTTP proxy.  It should be explicitly stated that IPA
> implements Nonces for its web UI, and does not allow session based calls
> through to the Dogtag back end,  so its configuration is secure.  The
> problem is only exposed if you expose additional web URLs to the Dogtag
> backend beyond those specified in the PKI Proxy.
> Enabling nonces will break IPA.

You told me something I wasn't aware of. I will dig into this during next

>  I've installed and used the standard Java tools for Dogtag and used them
> to talk to the PKI backend installed by IPA.  They work fine.

Ok, this is what I hoped to read! :-)

 Currently,  IPA acts as a single Agent in Dogtag.   This should be fine.
> For other certificate usage,   you should probably use a different agent.

Please be patient with me, I don't understand yet the concept of "agent".
Even a reference to the documentation would be helpful to me.

> IPA does not currently support user certificates.  However,  there are
> standard LDAP object classes and attributes that you could conceivably use
> to record them if you wanted to keep them in a single DirSrv.  Obviosuly,
> you do not want to put the private keys on the IPA server, so plan
> accordingly.

I will, I promise :-)

>  Red Hat does not support using the Certificate Server (PKI) backend with
> its Identity management install for purposes other than support for the IdM
> (IPA) front end, so beware that you have no "up sell" if you desire to get
> paid support for IPA.

I understand.
I link a question I'm curious of: if I remember correctly, on the PKI-user
mailing list I read a user complaining about RH not selling RHCS standalone
anymore. Is it true?

You've been very helpful! Your blog too.. :-)
Thanks a lot!
Freeipa-users mailing list

Reply via email to