On 05/10/2012 04:52 PM, Rob Crittenden wrote:
> Jan-Frode Myklebust wrote:
>> We're finally implementing IPA in our company (migrating from Sun
>> Identity Manager populated LDAP + manually maintained netgroups and
>> sudoers also in LDAP). I think I understand how to migrate these parts
>> to IPA, but the dogtag part is quite foreign currently..
>> We already has two private PKI infrastructures implemented. One for
>> managing user certificates for about 250 openvpn users, and another for
>> managing certificates for a few internal web services. Should we look
>> into re-using one of these CA's in IPA?
How are the openVPN user certificates are used?
Do you create a PKI pair and put it on user laptops?
If this is the case the PKI pair can very well be related to the machine
(laptop) identity rather than user identity.
Then IPA can mange such certs and certmonger can track and renew them.
This assumes that laptops run Fedora, RHEL or version of Ubuntu or
CentOS that supports certmonger, sssd and ipa client.
> You could install IPA as a subordinate CA of one of them. IPA requires
> its own CA.
>> I think it would be marvelous if IPA/dogtag could create certs/keys for
>> the users, and keep a copy of the users csr's so that it could
>> send the user an updated certificate with an expiry matching the
>> lifetime. Is this something that's possible currently, or on the
>> roadmap maybe?
> Right now the CA is used only to issue server certificates. We have
> user certs on the roadmap but that won't be ready for quite some time
> (year or more, realistically).
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list