On Tue, Aug 16, 2016 at 04:29:02PM +0530, Kaamel Periora wrote: > Thanks Fraser. > > So basically i can rule out FreeIPA and go ahead with DogTag. > > According to our security requirements, it is not wise to let the genral > public access to the OCSP service running on the CA. I suppose having an > OCSP over Fedora while the others run on CentOS would do. > Sure, you can deploy it that way. I do not know of anyone who has done so but it should work.
> how about RA, can i have it over CentOS? > We no longer have a separate RA subsystem. RA capabilities are conceptually part of the CA subsystem now. > On Tue, Aug 16, 2016 at 3:04 PM, Fraser Tweedale <ftwee...@redhat.com> > wrote: > > > On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote: > > > Thanks Rob and Fraser, appreciate your time in replying. > > > > > > Currently we are not using FreeIPA but dogtag 9 as an standalone system > > > with RA and OCSP as well. > > > > > > We thought of migrating to the FreeIPA after looking at the the ease of > > > management and excellent support community behind. > > > > > > We require SSL/TLS server certificates and user certificates as well. > > > > > > Currently our major issue is the continuous changes (not stable) in the > > > underlying OS which is Fedora. If we proceed with Dogtag over CentOS or > > > RedHat, will that suffice the stability requirements while delivering the > > > same level of integration with Fedora? > > > > > > your opinion is much appreciated. > > > > > > Kaamel > > > > > FreeIPA and Dogtag are both available in RHEL and CentOS, so you can > > have FreeIPA's ease of management on a less rapidly-evolving > > platform. > > > > Caveat: the standalone OCSP subsystem is not supported on RHEL, but > > the CA subsystem has an inbuilt OCSP responder which may suffice. > > > > Thanks, > > Fraser > > > > > On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale <ftwee...@redhat.com> > > > wrote: > > > > > > > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote: > > > > > Kamal Perera wrote: > > > > > > Dear all, > > > > > > > > > > > > Seeking your kind advices. > > > > > > > > > > > > If the requirement is for having a scalable corporate CA only, is > > it > > > > > > possible to get this requirement fulfilled with DogTag only, or > > install > > > > > > FreeIPA and use the CA functionality only. > > > > > > > > > > IPA limits dogtag to only those features it is interested in. This > > has > > > > been > > > > > expanding recently but you still lose some functionality. > > > > > > > > > > IMHO if all you want is a CA then managing IPA is overkill. > > > > > > > > > > > What are the functional differences and support limitations? > > > > > > > > > > Functionally it depends on what version of IPA you're talking about. > > > > Older > > > > > versions only exposed server certificates. Newer versions support > > user > > > > > certifications, custom profiles and more. It is still just a subset > > of > > > > what > > > > > dogtag supports. > > > > > > > > > > Support from whom? The dogtag community is happy to help (they've > > always > > > > > helped us). > > > > > > > > > There are lots of questions that can help you decide which path to > > > > take: what kinds of certs do you want to issue; to what entities; > > > > who will issue them; are you already using FreeIPA in your > > > > organisation? > > > > > > > > In regards to functional differences, Dogtag CA and KRA are > > > > supported with FreeIPA; token processing and standalone OCSP are > > > > not. I disagree somewhat with Rob in that unless you need those > > > > other Dogtag subsystems, I see little disadvantage in using FreeIPA. > > > > It definitely makes deploying the CA easier and managing renewals > > > > easier. > > > > > > > > The more you tell us of your requirements, the more we can help :) > > > > > > > > Thanks, > > > > Fraser > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project