On 01/15/2016 05:17 PM, Peter Pakos wrote:
> Hi,
> 
> We've been testing FreeIPA system for a while now and we're getting closer to
> moving it into production.
> 
> I'm considering both CA-less and CA-ful installation types. I hope you guys 
> can
> help me make my mind and choose the right decision.
> 
> What are the pros and cons of each install type?

Hello Peter,

I am hoping that this is well explained here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options

Some useful notes are also Dmitri Pal's blog post:
http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/

> What exactly are we loosing if we choose CA-less install?

You will not be able to issue certificates by FreeIPA CA, easily generate host
certificates by ipa-client-install or renew them by certmonger which supports
FreeIPA CA.

> One of our requirements is to have a 3rd party HTTP and LDAP certificates
> installed - which install path would be more suitable?

I think both should work. Please see my recent mail:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00243.html

The FreeIPA Demo is running as CA-ful and with 3rd party HTTP certificate.

> I'm also thinking ahead, when it comes to renewing certificates when they
> expire in 1 year time, which install type would cause less problems?

In CA-ful installation, client certificates or FreeIPA CA subsystem
certificates should just renew automatically. In CA-less, you need to take care
to renew them manually with your 3rd party certificate provider.

> I've failed to find any useful info covering the above points, so if you know
> anything, please just let me know.

I think the important point is that even if you choose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:

http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion

Honza, please let me know if I forget anything.

> 
> I would appreciate your input.
> 
> Thanks in advance.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to