On 09/23/2015 10:05 AM, Michael Anderson wrote:
> Hi Martin,
> thanks for your reply.
> On 09/23/2015 09:07 AM, Martin Kosek wrote:
>> On 09/22/2015 12:41 PM, Michael Anderson wrote:
>>> Hi All,
>>> we're evaluation freeipa/dogtag as a pki management service and hoping to
>>> replace our existing menagerie of bash/openssl scripts. I'm trying to
>>> a migration path for our existing pki solution and have a few questions:
>> Hi Michael,
>> Before you continue with the project, please keep in mind that FreeIPA PKI
>> capabilities are bound to the FreeIPA objects - i.e. users, hosts or
>> It does not allow you to generate completely random certificates (at the
> Does that mean that I can only generate certificates for hosts running the
> client software?
Well, you need at least the host object in FreeIPA, to be able to generate
certificate for it. It does not need to be effectively used.
> What I'd really like to be able to do is automate Apache/Nginx
> SSL cert generation for our dev/continuous-delivery infrastructure. So I'd
> to have two or three signing CA's for dev, staging and prod and automate CSR
> creation, signing and deployment. Is this feasible with freeipa?
So the requirement here is to have different Sub-CA for these environments?
FreeIPA 4.2 cannot do Sub-CAs yet, this is work proposed for next release:
BTW, this is how you can request renewable certificates for HTTP with FreeIPA:
>>> '* how can I import and use our existing CA signing cert?
>>> * can I import existing server certs and keys?
>> Could you create FreeIPA server CA as subordinate CA to your current CA? To
>> it seems the easiest way as I do not think we have some nice CLIs to inject
>> existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they
>> have an idea.
>> More here:
> With my current project I'll be rebuilding a lot of stuff, so starting fresh
> with a new freeipa-generated signing cert won't be such a problem. That said,
> it seems to me that the ability to import and use an existing signing cert
> would lower the adoption threshold for new users.
My point was that if FreeIPA is a subordinate CA, it should be still trusted by
your clients that would have already imported it's CA certificate.
>>> * I'm using Fedora22. When I install dogtag-pki, the user page for
>>> csr's is available. But when I install the freeipa package, I get a 404 when
>>> attempting to access the page. Is this functionality available in freeipa?
>> When PKI is configured as part of FreeIPA, FreeIPA takes control of
>> and passing the certificates from/to user. I think the Dogtag UI should be
>> still somehow accessible, but is not the supported way.
>> FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page,
>> via certmonger (man ipa-getcert) component that even renews the certificate.
>> BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more
>> related capabilities than older versions, for beginning Certificate Profiles,
>> which are a must if you do not want to use just single fixed cert profile.
> I'm using the version packaged with Fedora 22, 4.1.4
Ok. If you want to try the new FreeIPA 4.2 with Certificate Profiles on Fedora
22, there should be a COPR repo also:
>> More here:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project