On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote:
> Hi,
> 
> We have an in-house CA system managed by a stand-alone Dogtag system, we
> would like to integrate it with our FreeIPA system which is already in use
> and is setup with the company LDAP. I'm new to FreeIPA and I have some
> questions about this process:
> 
> 1. Is it possible to add our current Dogtag on top of the FreeIPA system
> directly? If so, how would I achieve that?
> 
This is not supported, though it's technically feasible (we just
don't have any code to do it).

> 2. If it's not possible to do the above, what about setting up a clone of
> the current FreeIPA system and migrate Dogtag during the installation of
> the replica? Is this a better option?
> 
Same as above... technically feasible but no way to do it right now.

> 3. Any other alternative?
> 
One alternative is to export your CA signing cert and key, and
install a new Dogtag instance in your FreeIPA environment.  The IPA
Dogtag instance would be "detached" from your existing Dogtag
instance but, cryptographically speaking, it would be the same CA.

You would have to tweak serial number ranges to ensure the new
instance doesn't reuse serial numbers that were already used (a
simple procedure).

How well this would work in your organisation would depend on what
sorts of things you use the exiting Dogtag for, how clients expect
to renew certificates, etc.  I'm happy to answer questions you might
have in considering this approach.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to