On Wed, Aug 17, 2016 at 10:52:53AM +0530, Kaamel Periora wrote: > Thanks. > > One last question :) > > Will that be feasible to have all the systems (CA, RA, OCSP) on top of > fedora and upgrade the OS as well as CS with the latest ones time to time. > This should not affect the exiting data or configuration. With Fedora this > seems to be a must. > It is feasible, and if you want to stay on supported releases you will need to do it more frequently on Fedora than on RHEL or CentOS, because Fedora evolves faster and orphans old releases more eagerly. Your choice depends on your organisation's technical requirements and risk appetite ;)
Thanks, Fraser > On Tue, Aug 16, 2016 at 5:25 PM, Fraser Tweedale <ftwee...@redhat.com> > wrote: > > > On Tue, Aug 16, 2016 at 04:29:02PM +0530, Kaamel Periora wrote: > > > Thanks Fraser. > > > > > > So basically i can rule out FreeIPA and go ahead with DogTag. > > > > > > According to our security requirements, it is not wise to let the genral > > > public access to the OCSP service running on the CA. I suppose having an > > > OCSP over Fedora while the others run on CentOS would do. > > > > > Sure, you can deploy it that way. I do not know of anyone who has > > done so but it should work. > > > > > how about RA, can i have it over CentOS? > > > > > We no longer have a separate RA subsystem. RA capabilities are > > conceptually part of the CA subsystem now. > > > > > On Tue, Aug 16, 2016 at 3:04 PM, Fraser Tweedale <ftwee...@redhat.com> > > > wrote: > > > > > > > On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote: > > > > > Thanks Rob and Fraser, appreciate your time in replying. > > > > > > > > > > Currently we are not using FreeIPA but dogtag 9 as an standalone > > system > > > > > with RA and OCSP as well. > > > > > > > > > > We thought of migrating to the FreeIPA after looking at the the ease > > of > > > > > management and excellent support community behind. > > > > > > > > > > We require SSL/TLS server certificates and user certificates as well. > > > > > > > > > > Currently our major issue is the continuous changes (not stable) in > > the > > > > > underlying OS which is Fedora. If we proceed with Dogtag over CentOS > > or > > > > > RedHat, will that suffice the stability requirements while > > delivering the > > > > > same level of integration with Fedora? > > > > > > > > > > your opinion is much appreciated. > > > > > > > > > > Kaamel > > > > > > > > > FreeIPA and Dogtag are both available in RHEL and CentOS, so you can > > > > have FreeIPA's ease of management on a less rapidly-evolving > > > > platform. > > > > > > > > Caveat: the standalone OCSP subsystem is not supported on RHEL, but > > > > the CA subsystem has an inbuilt OCSP responder which may suffice. > > > > > > > > Thanks, > > > > Fraser > > > > > > > > > On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale < > > ftwee...@redhat.com> > > > > > wrote: > > > > > > > > > > > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote: > > > > > > > Kamal Perera wrote: > > > > > > > > Dear all, > > > > > > > > > > > > > > > > Seeking your kind advices. > > > > > > > > > > > > > > > > If the requirement is for having a scalable corporate CA only, > > is > > > > it > > > > > > > > possible to get this requirement fulfilled with DogTag only, or > > > > install > > > > > > > > FreeIPA and use the CA functionality only. > > > > > > > > > > > > > > IPA limits dogtag to only those features it is interested in. > > This > > > > has > > > > > > been > > > > > > > expanding recently but you still lose some functionality. > > > > > > > > > > > > > > IMHO if all you want is a CA then managing IPA is overkill. > > > > > > > > > > > > > > > What are the functional differences and support limitations? > > > > > > > > > > > > > > Functionally it depends on what version of IPA you're talking > > about. > > > > > > Older > > > > > > > versions only exposed server certificates. Newer versions support > > > > user > > > > > > > certifications, custom profiles and more. It is still just a > > subset > > > > of > > > > > > what > > > > > > > dogtag supports. > > > > > > > > > > > > > > Support from whom? The dogtag community is happy to help (they've > > > > always > > > > > > > helped us). > > > > > > > > > > > > > There are lots of questions that can help you decide which path to > > > > > > take: what kinds of certs do you want to issue; to what entities; > > > > > > who will issue them; are you already using FreeIPA in your > > > > > > organisation? > > > > > > > > > > > > In regards to functional differences, Dogtag CA and KRA are > > > > > > supported with FreeIPA; token processing and standalone OCSP are > > > > > > not. I disagree somewhat with Rob in that unless you need those > > > > > > other Dogtag subsystems, I see little disadvantage in using > > FreeIPA. > > > > > > It definitely makes deploying the CA easier and managing renewals > > > > > > easier. > > > > > > > > > > > > The more you tell us of your requirements, the more we can help :) > > > > > > > > > > > > Thanks, > > > > > > Fraser > > > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
