On 09/23/2015 10:05 AM, Michael Anderson wrote: > Hi Martin, > > thanks for your reply. > > On 09/23/2015 09:07 AM, Martin Kosek wrote: >> On 09/22/2015 12:41 PM, Michael Anderson wrote: >>> Hi All, >>> >>> we're evaluation freeipa/dogtag as a pki management service and hoping to >>> replace our existing menagerie of bash/openssl scripts. I'm trying to >>> establish >>> a migration path for our existing pki solution and have a few questions: >> Hi Michael, >> >> Before you continue with the project, please keep in mind that FreeIPA PKI >> capabilities are bound to the FreeIPA objects - i.e. users, hosts or >> services. >> It does not allow you to generate completely random certificates (at the >> moment). > > Does that mean that I can only generate certificates for hosts running the > client software?
Well, you need at least the host object in FreeIPA, to be able to generate certificate for it. It does not need to be effectively used. > What I'd really like to be able to do is automate Apache/Nginx > SSL cert generation for our dev/continuous-delivery infrastructure. So I'd > like > to have two or three signing CA's for dev, staging and prod and automate CSR > creation, signing and deployment. Is this feasible with freeipa? So the requirement here is to have different Sub-CA for these environments? FreeIPA 4.2 cannot do Sub-CAs yet, this is work proposed for next release: https://fedorahosted.org/freeipa/ticket/4559 BTW, this is how you can request renewable certificates for HTTP with FreeIPA: http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger >>> '* how can I import and use our existing CA signing cert? >>> * can I import existing server certs and keys? >> Could you create FreeIPA server CA as subordinate CA to your current CA? To >> me, >> it seems the easiest way as I do not think we have some nice CLIs to inject >> existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they >> have an idea. >> >> More here: >> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructurell > > With my current project I'll be rebuilding a lot of stuff, so starting fresh > with a new freeipa-generated signing cert won't be such a problem. That said, > it seems to me that the ability to import and use an existing signing cert > would lower the adoption threshold for new users. My point was that if FreeIPA is a subordinate CA, it should be still trusted by your clients that would have already imported it's CA certificate. >>> * I'm using Fedora22. When I install dogtag-pki, the user page for >>> submitting >>> csr's is available. But when I install the freeipa package, I get a 404 when >>> attempting to access the page. Is this functionality available in freeipa? >> When PKI is configured as part of FreeIPA, FreeIPA takes control of >> requesting >> and passing the certificates from/to user. I think the Dogtag UI should be >> still somehow accessible, but is not the supported way. >> >> FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, >> or >> via certmonger (man ipa-getcert) component that even renews the certificate. >> >> BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more >> PKI >> related capabilities than older versions, for beginning Certificate Profiles, >> which are a must if you do not want to use just single fixed cert profile. > > I'm using the version packaged with Fedora 22, 4.1.4 Ok. If you want to try the new FreeIPA 4.2 with Certificate Profiles on Fedora 22, there should be a COPR repo also: https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/ >> More here: >> http://www.freeipa.org/page/Releases/4.2.0 >> >> Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project