On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> Kamal Perera wrote:
> > Dear all,
> > 
> > Seeking your kind advices.
> > 
> > If the requirement is for having a scalable corporate CA only, is it
> > possible to get this requirement fulfilled with DogTag only, or install
> > FreeIPA and use the CA functionality only.
> 
> IPA limits dogtag to only those features it is interested in. This has been
> expanding recently but you still lose some functionality.
> 
> IMHO if all you want is a CA then managing IPA is overkill.
> 
> > What are the functional differences and support limitations?
> 
> Functionally it depends on what version of IPA you're talking about. Older
> versions only exposed server certificates. Newer versions support user
> certifications, custom profiles and more. It is still just a subset of what
> dogtag supports.
> 
> Support from whom? The dogtag community is happy to help (they've always
> helped us).
> 
There are lots of questions that can help you decide which path to
take: what kinds of certs do you want to issue; to what entities;
who will issue them; are you already using FreeIPA in your
organisation?

In regards to functional differences, Dogtag CA and KRA are
supported with FreeIPA; token processing and standalone OCSP are
not.  I disagree somewhat with Rob in that unless you need those
other Dogtag subsystems, I see little disadvantage in using FreeIPA.
It definitely makes deploying the CA easier and managing renewals
easier.

The more you tell us of your requirements, the more we can help :)

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to