On 09/23/2015 10:05 AM, Michael Anderson wrote:
> Hi Martin,
> 
> thanks for your reply.
> 
> On 09/23/2015 09:07 AM, Martin Kosek wrote:
>> On 09/22/2015 12:41 PM, Michael Anderson wrote:
>>>   Hi All,
>>>
>>> we're evaluation freeipa/dogtag as a pki management service and hoping to
>>> replace our existing menagerie of bash/openssl scripts. I'm trying to 
>>> establish
>>> a migration path for our existing pki solution and have a few questions:
>> Hi Michael,
>>
>> Before you continue with the project, please keep in mind that FreeIPA PKI
>> capabilities are bound to the FreeIPA objects - i.e. users, hosts or 
>> services.
>> It does not allow you to generate completely random certificates (at the
>> moment).
> 
> Does that mean that I can only generate certificates for hosts running the
> client software?

Well, you need at least the host object in FreeIPA, to be able to generate
certificate for it. It does not need to be effectively used.

> What I'd really like to be able to do is automate Apache/Nginx
> SSL cert generation for our dev/continuous-delivery infrastructure. So I'd 
> like
> to have two or three signing CA's for dev, staging and prod and automate CSR
> creation, signing and deployment. Is this feasible with freeipa?

So the requirement here is to have different Sub-CA for these environments?
FreeIPA 4.2 cannot do Sub-CAs yet, this is work proposed for next release:

https://fedorahosted.org/freeipa/ticket/4559

BTW, this is how you can request renewable certificates for HTTP with FreeIPA:

http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger

>>> '* how can I import and use our existing CA signing cert?
>>> * can I import existing server certs and keys?
>> Could you create FreeIPA server CA as subordinate CA to your current CA? To 
>> me,
>> it seems the easiest way as I do not think we have some nice CLIs to inject
>> existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they
>> have an idea.
>>
>> More here:
>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructurell
> 
> With my current project I'll be rebuilding a lot of stuff, so starting fresh
> with a new freeipa-generated signing cert won't be such a problem. That said,
> it seems to me that the ability to import and use an existing signing cert
> would lower the adoption threshold for new users.

My point was that if FreeIPA is a subordinate CA, it should be still trusted by
your clients that would have already imported it's CA certificate.

>>> * I'm using Fedora22. When I install dogtag-pki, the user page for 
>>> submitting
>>> csr's is available. But when I install the freeipa package, I get a 404 when
>>> attempting to access the page. Is this functionality available in freeipa?
>> When PKI is configured as part of FreeIPA, FreeIPA takes control of 
>> requesting
>> and passing the certificates from/to user. I think the Dogtag UI should be
>> still somehow accessible, but is not the supported way.
>>
>> FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, 
>> or
>> via certmonger (man ipa-getcert) component that even renews the certificate.
>>
>> BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more 
>> PKI
>> related capabilities than older versions, for beginning Certificate Profiles,
>> which are a must if you do not want to use just single fixed cert profile.
> 
> I'm using the version packaged with Fedora 22, 4.1.4

Ok. If you want to try the new FreeIPA 4.2 with Certificate Profiles on Fedora
22,  there should be a COPR repo also:

https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/

>> More here:
>> http://www.freeipa.org/page/Releases/4.2.0
>>
>> Martin
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to