On 03/13/2015 02:51 PM, Johnny Tan wrote:
On Fri, Mar 13, 2015 at 2:15 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    Rob would definitely know more but IPA mostly provides certs for
    the infra it serves and has a limited use of the certs by itself.
    So here is where I know it is used:
    - You can issue certs for hosts and services and installer used to
    create certs for host automatically though these certs are not
    used for anything and we decided not to create them automatically
    any more.
    - You need to trust IPA in browser so that you can do a forms
    based authentication if you do not have a kerberos ticket.
    - To issue certs we use Dogtag and Dogtag understands only cert
    based authentication so internally the communication between the
    managment framework and Dogtag uses SSL. This is actually why the
    host-del fails. The host had a cert issued by IPA CA so as part of
    the del operation it tries to revoke the cert but since you
    reconfigured the sustem to use be CA less it can't and fails.

    The communication between the LDAP servers is Kerberos authenticated.

I'll wait for Rob to weigh in, but wow, this would actually be huge for us and probably a lot of other users. Because if the above is true (and complete, I guess), then we could actually just run a CA-less FreeIPA setup, and then generate certs specifically and only for the web (apache) side, which is easy enough and we do it already for all other internal web services. That limits cert-related stuff to just one web SSL cert per IPA master.

This is up to you but that means you would not be able to deal with SSL for some other use cases down the road. IPA 4.2 has a lot of new functionality to make it easier to issue and manage certificates for different use cases like: system provisioning, VPN, devices, wireless, PaaS/IaaS stacks that use certs for SSL internally etc. Going CA-less will prevent you from leveraging these capabilities once you realize they are needed down the road.

May be you would not need them but I would encourage you to look at this in a longer perspective than just immediate needs.

    We have a special tool in Freeipa 4.2 to do this. The manual
    procedure is cumbersome and leads to issues like this.

And to be correct it is in 4.1 and already released. Sorry for typo.

Yeah, I saw that, but we are still doing 3.0 on CentOS6.6, which is why we had to go down the manual path.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to