We will start setting up IDM/FreeIPA  for a specific linux subdomain in our
The part of setting up a trust is clear: we will be using an external trust
- for a selected Active Directory domain

But how can we best integrate with the enterprise CA infrastructure (MS
Certificate Services)?

Is it possible to deploy FreeIPA (dogtag) as rootCA, and to publish
requests for public HTTPS certitificates by GlobalSign, or if internal, the
MS Certificate Services rootCA?
We can still use FreeIPA for all certificates where we need to encrypt
end-to-end communication between servers (as example)
What about the principle of an offline rootCA in that case?

Or is there a specific reason that a subordinate CA is a better idea,
signed by the root CA of the MS PKI infrastructure?
And if we ask a subordinate CA, is it possible to limit exposure/risks? By
setting some extensions?

To conclude: own rootCA, or subordinate CA signed by the existing MS
Certificate Services PKI????

Sincerely, Pieter Baele
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to