On 09/22/2015 12:41 PM, Michael Anderson wrote:
> Hi All,
> we're evaluation freeipa/dogtag as a pki management service and hoping to
> replace our existing menagerie of bash/openssl scripts. I'm trying to
> a migration path for our existing pki solution and have a few questions:
Before you continue with the project, please keep in mind that FreeIPA PKI
capabilities are bound to the FreeIPA objects - i.e. users, hosts or services.
It does not allow you to generate completely random certificates (at the
> * how can I import and use our existing CA signing cert?
> * can I import existing server certs and keys?
Could you create FreeIPA server CA as subordinate CA to your current CA? To me,
it seems the easiest way as I do not think we have some nice CLIs to inject
existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they
have an idea.
> * I'm using Fedora22. When I install dogtag-pki, the user page for submitting
> csr's is available. But when I install the freeipa package, I get a 404 when
> attempting to access the page. Is this functionality available in freeipa?
When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting
and passing the certificates from/to user. I think the Dogtag UI should be
still somehow accessible, but is not the supported way.
FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or
via certmonger (man ipa-getcert) component that even renews the certificate.
BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI
related capabilities than older versions, for beginning Certificate Profiles,
which are a must if you do not want to use just single fixed cert profile.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project