On Sun, 12 Mar 2017, Rob Foehl wrote:

What's the best way to play nice with existing PKI -- generate a CA CSR at installation time and sign that? Is there any provision for automatically renewing these certs, say if the external CA were to be subsumed by a dedicated Dogtag instance?


I'm guessing the complete lack of a response does not bode well for this idea...

Ideally, I'd rather not manage an external CA at all; existing use cases are service certificates and a handful of user or device-specific client certs. I've been digging into the sub-CA support a bit more, and it might be possible to cover everything within FreeIPA, possibly adding otherwise-unused principals as needed.

The lingering question, then: what to do with the existing CA?

I've found a few threads suggesting it may be possible to wedge an existing cert/key into a new IPA instance at install time, but they're all light on specifics. Any other ideas for a smooth transition from this CA to one entirely owned by FreeIPA, maybe within 3 years or so? ;)

-Rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to