Hi Martin,

thanks for your reply.

On 09/23/2015 09:07 AM, Martin Kosek wrote:
On 09/22/2015 12:41 PM, Michael Anderson wrote:
  Hi All,

we're evaluation freeipa/dogtag as a pki management service and hoping to
replace our existing menagerie of bash/openssl scripts. I'm trying to establish
a migration path for our existing pki solution and have a few questions:
Hi Michael,

Before you continue with the project, please keep in mind that FreeIPA PKI
capabilities are bound to the FreeIPA objects - i.e. users, hosts or services.
It does not allow you to generate completely random certificates (at the 

Does that mean that I can only generate certificates for hosts running the client software? What I'd really like to be able to do is automate Apache/Nginx SSL cert generation for our dev/continuous-delivery infrastructure. So I'd like to have two or three signing CA's for dev, staging and prod and automate CSR creation, signing and deployment. Is this feasible with freeipa?

'* how can I import and use our existing CA signing cert?
* can I import existing server certs and keys?
Could you create FreeIPA server CA as subordinate CA to your current CA? To me,
it seems the easiest way as I do not think we have some nice CLIs to inject
existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they
have an idea.

More here:

With my current project I'll be rebuilding a lot of stuff, so starting fresh with a new freeipa-generated signing cert won't be such a problem. That said, it seems to me that the ability to import and use an existing signing cert would lower the adoption threshold for new users.

* I'm using Fedora22. When I install dogtag-pki, the user page for submitting
csr's is available. But when I install the freeipa package, I get a 404 when
attempting to access the page. Is this functionality available in freeipa?
When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting
and passing the certificates from/to user. I think the Dogtag UI should be
still somehow accessible, but is not the supported way.

FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or
via certmonger (man ipa-getcert) component that even renews the certificate.

BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI
related capabilities than older versions, for beginning Certificate Profiles,
which are a must if you do not want to use just single fixed cert profile.

I'm using the version packaged with Fedora 22, 4.1.4

More here:


Michael Anderson
IT Services & Support

elego Software Solutions GmbH
Gustav-Meyer-Allee 25
Building 12.3 (BIG) room 227
13355 Berlin, Germany

phone +49 30 23 45 86 96      michael.anderson at elegosoft.com
fax   +49 30 23 45 86 95      http://www.elegosoft.com

Geschaeftsfuehrer: Olaf Wagner, Sitz Berlin Amtsgericht
Berlin-Charlottenburg, HRB 77719, USt-IdNr: DE163214194

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to