On Wed, May 11, 2016 at 12:06:39PM +0000, Andy Thompson wrote: > > Andy, you can install FreeIPA as a sub-CA of your offline root. > > Support for creating sub-CAs *within* FreeIPA, under the "main" > > FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet > > available but I am working on that. But if you only need one CA as a sub-CA > > of an offline root, you can use FreeIPA today. > > > > I've got this setup and working with an openssl minted root CA, I've minted a > few certs and it all seems to work well enough. I'm trying to sort out what > features I might be missing using the FreeIPA implementation in this setup as > compared to setting up dogtag, ejbca or looking at the RHCS product. > > I've tried accessing the dogtag web console and it doesn't work on the IPA > server. > The full Dogtag web UI is available on port 8443.
If you features like token processing or dedicated OCSP instance, these are only officially supported as part of RHCS. Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project