Hi, We will start setting up IDM/FreeIPA for a specific linux subdomain in our enterprise. The part of setting up a trust is clear: we will be using an external trust - for a selected Active Directory domain
But how can we best integrate with the enterprise CA infrastructure (MS Certificate Services)? Is it possible to deploy FreeIPA (dogtag) as rootCA, and to publish requests for public HTTPS certitificates by GlobalSign, or if internal, the MS Certificate Services rootCA? We can still use FreeIPA for all certificates where we need to encrypt end-to-end communication between servers (as example) What about the principle of an offline rootCA in that case? Or is there a specific reason that a subordinate CA is a better idea, signed by the root CA of the MS PKI infrastructure? And if we ask a subordinate CA, is it possible to limit exposure/risks? By setting some extensions? To conclude: own rootCA, or subordinate CA signed by the existing MS Certificate Services PKI???? Sincerely, Pieter Baele
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
