Jan-Frode Myklebust wrote:
We're finally implementing IPA in our company (migrating from Sun
Identity Manager populated LDAP + manually maintained netgroups and
sudoers also in LDAP). I think I understand how to migrate these parts
to IPA, but the dogtag part is quite foreign currently..

We already has two private PKI infrastructures implemented. One for
managing user certificates for about 250 openvpn users, and another for
managing certificates for a few internal web services. Should we look
into re-using one of these CA's in IPA?

You could install IPA as a subordinate CA of one of them. IPA requires its own CA.

I think it would be marvelous if IPA/dogtag could create certs/keys for
the users, and keep a copy of the users csr's so that it could automatically
send the user an updated certificate with an expiry matching the password
lifetime. Is this something that's possible currently, or on the roadmap maybe?

Right now the CA is used only to issue server certificates. We have user certs on the roadmap but that won't be ready for quite some time (year or more, realistically).


Freeipa-users mailing list

Reply via email to