I hit reply instead of reply all again. Sorry. Adding the list back. On 02/14/2012 02:43 PM, Dmitri Pal wrote: > On 02/13/2012 12:43 PM, Marco Pizzoli wrote: >> Hi Adam, >> >> On Mon, Feb 13, 2012 at 5:58 PM, Adam Young <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 02/12/2012 04:00 PM, Marco Pizzoli wrote: >>> Hi, >>> I see DogTag PKI used as a certificate server for the enrollment >>> of hosts and services. >>> What about the enrollment of normal X509v3 certificates? I have >>> not seen, correct me if I'm wrong, any reference to the >>> possibility to use it as a regular CA for user certificates. Not >>> within FreeIPA, of course. >>> >>> Is there any drawback in using it as the primary CA for the company? >> >> It is a full CA. You can use it as such. Dogtag is a vibrant >> project in its own right, and you can find developers on >> #dogtag-pki in Freenode. The install is done via pkisilent, and >> you might want to make sure that you understand the parameters >> used to call it. >> >> >> I will. Thanks for the pointer. >> >> >> One major drawback is that IPA has disabled Nonces in the Dogtag >> backend. These are there to defend against a CSRF attack. What >> this means is that you should not expose the Dogtag WebUI through >> the IPA server, either on its Dogtag port or via HTTP proxy. It >> should be explicitly stated that IPA implements Nonces for its >> web UI, and does not allow session based calls through to the >> Dogtag back end, so its configuration is secure. The problem is >> only exposed if you expose additional web URLs to the Dogtag >> backend beyond those specified in the PKI Proxy. >> >> Enabling nonces will break IPA. >> >> >> You told me something I wasn't aware of. I will dig into this during >> next weeks. >> >> >> I've installed and used the standard Java tools for Dogtag and >> used them to talk to the PKI backend installed by IPA. They work >> fine. >> >> >> Ok, this is what I hoped to read! :-) >> >> Currently, IPA acts as a single Agent in Dogtag. This should >> be fine. For other certificate usage, you should probably use >> a different agent. >> >> >> Please be patient with me, I don't understand yet the concept of >> "agent". Even a reference to the documentation would be helpful to me. >> > > > "Agent" is client side software that can connect to CA, authenticate > and has a role to perform specific operations against CA. > >> IPA does not currently support user certificates. However, >> there are standard LDAP object classes and attributes that you >> could conceivably use to record them if you wanted to keep them >> in a single DirSrv. Obviosuly, you do not want to put the >> private keys on the IPA server, so plan accordingly. >> >> >> I will, I promise :-) >> >> >> Red Hat does not support using the Certificate Server (PKI) >> backend with its Identity management install for purposes other >> than support for the IdM (IPA) front end, so beware that you have >> no "up sell" if you desire to get paid support for IPA. >> >> >> I understand. >> I link a question I'm curious of: if I remember correctly, on the >> PKI-user mailing list I read a user complaining about RH not selling >> RHCS standalone anymore. Is it true? > > It is true to some extent. > It is sold under special conditions. For more info on RHCS sales > conditions you need to go via official RH channels. > >> >> You've been very helpful! Your blog too.. :-) >> Thanks a lot! >> Marco >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > >
-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
