On 01/15/2016 05:17 PM, Peter Pakos wrote: > Hi, > > We've been testing FreeIPA system for a while now and we're getting closer to > moving it into production. > > I'm considering both CA-less and CA-ful installation types. I hope you guys > can > help me make my mind and choose the right decision. > > What are the pros and cons of each install type?
Hello Peter, I am hoping that this is well explained here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options Some useful notes are also Dmitri Pal's blog post: http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/ > What exactly are we loosing if we choose CA-less install? You will not be able to issue certificates by FreeIPA CA, easily generate host certificates by ipa-client-install or renew them by certmonger which supports FreeIPA CA. > One of our requirements is to have a 3rd party HTTP and LDAP certificates > installed - which install path would be more suitable? I think both should work. Please see my recent mail: https://www.redhat.com/archives/freeipa-users/2016-January/msg00243.html The FreeIPA Demo is running as CA-ful and with 3rd party HTTP certificate. > I'm also thinking ahead, when it comes to renewing certificates when they > expire in 1 year time, which install type would cause less problems? In CA-ful installation, client certificates or FreeIPA CA subsystem certificates should just renew automatically. In CA-less, you need to take care to renew them manually with your 3rd party certificate provider. > I've failed to find any useful info covering the above points, so if you know > anything, please just let me know. I think the important point is that even if you choose to install with CA-less for now, you can switch to CA-ful later via ipa-ca-install: http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion Honza, please let me know if I forget anything. > > I would appreciate your input. > > Thanks in advance. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project