On Sun, 12 Mar 2017, Rob Foehl wrote:
What's the best way to play nice with existing PKI -- generate a CA CSR at
installation time and sign that? Is there any provision for automatically
renewing these certs, say if the external CA were to be subsumed by a
dedicated Dogtag instance?
I'm guessing the complete lack of a response does not bode well for this
idea...
Ideally, I'd rather not manage an external CA at all; existing use cases
are service certificates and a handful of user or device-specific client
certs. I've been digging into the sub-CA support a bit more, and it might
be possible to cover everything within FreeIPA, possibly adding
otherwise-unused principals as needed.
The lingering question, then: what to do with the existing CA?
I've found a few threads suggesting it may be possible to wedge an
existing cert/key into a new IPA instance at install time, but they're all
light on specifics. Any other ideas for a smooth transition from this CA
to one entirely owned by FreeIPA, maybe within 3 years or so? ;)
-Rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
