On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote: > Kamal Perera wrote: > > Dear all, > > > > Seeking your kind advices. > > > > If the requirement is for having a scalable corporate CA only, is it > > possible to get this requirement fulfilled with DogTag only, or install > > FreeIPA and use the CA functionality only. > > IPA limits dogtag to only those features it is interested in. This has been > expanding recently but you still lose some functionality. > > IMHO if all you want is a CA then managing IPA is overkill. > > > What are the functional differences and support limitations? > > Functionally it depends on what version of IPA you're talking about. Older > versions only exposed server certificates. Newer versions support user > certifications, custom profiles and more. It is still just a subset of what > dogtag supports. > > Support from whom? The dogtag community is happy to help (they've always > helped us). > There are lots of questions that can help you decide which path to take: what kinds of certs do you want to issue; to what entities; who will issue them; are you already using FreeIPA in your organisation?
In regards to functional differences, Dogtag CA and KRA are supported with FreeIPA; token processing and standalone OCSP are not. I disagree somewhat with Rob in that unless you need those other Dogtag subsystems, I see little disadvantage in using FreeIPA. It definitely makes deploying the CA easier and managing renewals easier. The more you tell us of your requirements, the more we can help :) Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project