On Mon, 09 May 2016, Andy Thompson wrote:
-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Monday, May 9, 2016 3:23 PM
To: Andy Thompson <andy.thomp...@e-tcc.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] freeipa as organizational CA

On Mon, 09 May 2016, Andy Thompson wrote:
>Is freeipa in RHEL7.2 able to be used as an organizational CA these
>days?  I have a requirement to set one up and like the IPA interface
>and tools, but can't sort out the current state in 4.2 to decipher
>whether this is possible, or even reasonable to try.  I need to setup
>an org sub CA with an offline root CA
Sub-CA support is coming in FreeIPA 4.4, hopefully. Current code in RHEL
7.2 does not support sub-CA functionality.


If I can get an exclusion for the sub-CA bits, can that be added at a
later time and just run with a root CA for now?  Can it perform all of
the needs of an org CA outside of an IPA environment?
Not through the IPA interfaces but standard Dogtag is there, with its
(albeit a bit cumbersome) web UI. So I guess you could do what IPA
doesn't allow via that one, though there will be no support for these
functions.

When FreeIPA will get sub-CA support added, an upgrade path should be
there to allow creating sub-CAs.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to