On 01/15/2016 05:17 PM, Peter Pakos wrote:
> Hi,
> We've been testing FreeIPA system for a while now and we're getting closer to
> moving it into production.
> I'm considering both CA-less and CA-ful installation types. I hope you guys 
> can
> help me make my mind and choose the right decision.
> What are the pros and cons of each install type?

Hello Peter,

I am hoping that this is well explained here:


Some useful notes are also Dmitri Pal's blog post:

> What exactly are we loosing if we choose CA-less install?

You will not be able to issue certificates by FreeIPA CA, easily generate host
certificates by ipa-client-install or renew them by certmonger which supports

> One of our requirements is to have a 3rd party HTTP and LDAP certificates
> installed - which install path would be more suitable?

I think both should work. Please see my recent mail:

The FreeIPA Demo is running as CA-ful and with 3rd party HTTP certificate.

> I'm also thinking ahead, when it comes to renewing certificates when they
> expire in 1 year time, which install type would cause less problems?

In CA-ful installation, client certificates or FreeIPA CA subsystem
certificates should just renew automatically. In CA-less, you need to take care
to renew them manually with your 3rd party certificate provider.

> I've failed to find any useful info covering the above points, so if you know
> anything, please just let me know.

I think the important point is that even if you choose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:


Honza, please let me know if I forget anything.

> I would appreciate your input.
> Thanks in advance.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to