On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote: > Thanks Rob and Fraser, appreciate your time in replying. > > Currently we are not using FreeIPA but dogtag 9 as an standalone system > with RA and OCSP as well. > > We thought of migrating to the FreeIPA after looking at the the ease of > management and excellent support community behind. > > We require SSL/TLS server certificates and user certificates as well. > > Currently our major issue is the continuous changes (not stable) in the > underlying OS which is Fedora. If we proceed with Dogtag over CentOS or > RedHat, will that suffice the stability requirements while delivering the > same level of integration with Fedora? > > your opinion is much appreciated. > > Kaamel > FreeIPA and Dogtag are both available in RHEL and CentOS, so you can have FreeIPA's ease of management on a less rapidly-evolving platform.
Caveat: the standalone OCSP subsystem is not supported on RHEL, but the CA subsystem has an inbuilt OCSP responder which may suffice. Thanks, Fraser > On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale <ftwee...@redhat.com> > wrote: > > > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote: > > > Kamal Perera wrote: > > > > Dear all, > > > > > > > > Seeking your kind advices. > > > > > > > > If the requirement is for having a scalable corporate CA only, is it > > > > possible to get this requirement fulfilled with DogTag only, or install > > > > FreeIPA and use the CA functionality only. > > > > > > IPA limits dogtag to only those features it is interested in. This has > > been > > > expanding recently but you still lose some functionality. > > > > > > IMHO if all you want is a CA then managing IPA is overkill. > > > > > > > What are the functional differences and support limitations? > > > > > > Functionally it depends on what version of IPA you're talking about. > > Older > > > versions only exposed server certificates. Newer versions support user > > > certifications, custom profiles and more. It is still just a subset of > > what > > > dogtag supports. > > > > > > Support from whom? The dogtag community is happy to help (they've always > > > helped us). > > > > > There are lots of questions that can help you decide which path to > > take: what kinds of certs do you want to issue; to what entities; > > who will issue them; are you already using FreeIPA in your > > organisation? > > > > In regards to functional differences, Dogtag CA and KRA are > > supported with FreeIPA; token processing and standalone OCSP are > > not. I disagree somewhat with Rob in that unless you need those > > other Dogtag subsystems, I see little disadvantage in using FreeIPA. > > It definitely makes deploying the CA easier and managing renewals > > easier. > > > > The more you tell us of your requirements, the more we can help :) > > > > Thanks, > > Fraser > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project