I'm looking at deploying FreeIPA in a few environments with substantial
DNS and/or CA infrastructure, and have some choices to make...
How much trouble will I have if FreeIPA is delegated a zone like
ipa.example.com with all clients in example.com or other children? (No
overlap with AD-managed zones, but in at least one case autodiscovery
won't be possible due to mixed clients in the parent zone.)
What's the best way to play nice with existing PKI -- generate a CA CSR at
installation time and sign that? Is there any provision for automatically
renewing these certs, say if the external CA were to be subsumed by a
dedicated Dogtag instance?
Advice and experience appreciated, before I paint myself into a corner
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project