I'm looking at deploying FreeIPA in a few environments with substantial DNS and/or CA infrastructure, and have some choices to make...

How much trouble will I have if FreeIPA is delegated a zone like ipa.example.com with all clients in example.com or other children? (No overlap with AD-managed zones, but in at least one case autodiscovery won't be possible due to mixed clients in the parent zone.)

What's the best way to play nice with existing PKI -- generate a CA CSR at installation time and sign that? Is there any provision for automatically renewing these certs, say if the external CA were to be subsumed by a dedicated Dogtag instance?

Advice and experience appreciated, before I paint myself into a corner somewhere... Thanks!


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to