On 2.12.2015 15:25, Günther J. Niederwimmer wrote:
> Hello All,
> Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale:
>> On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote:
>>> On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:
>>>> Hello ,
>>>> I have the question, know any from the FreeIPA "Gurus" ;-), are the new
>>>> upcoming LetsEncrypt Certificates compatible and working with FreeIPA?
>>> We have plans to support issuing certificates via Let's Encrypt.
>> Günther, what are your specific wishes - to automatically acquire LE
>> certs for FreeIPA server's HTTP and LDAP?  Arbitrary hosts or
>> services that are managed by FreeIPA?
> My wishes :-)).
> when I can have wishes, I mean all ;-) 
> But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream.
> Now I make a test with FreeIPA and "DANE" I hope this is working ?.

IPA allows you to DNSSEC-sign the domain, the rest is up to you. You have to
create TLSA records for your certificates, put these into DNSSEC-signed domain
and then get *clients* to respect them.

In other words, IPA does nothing except DNSSEC-signing of DNS domains.

>>> However, right now Let's encrypt only issues server certificates, not
>>> CA roots, so you cannot use them to bootstrap IPA CA.
>> This will probably always be the case.

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to