On Tue, May 2, 2017 at 11:13 PM Christina Fu <[email protected]> wrote:
> It's unclear from what's described to have the whole context to answer > your specific questions, but I can answer the question regarding Dogtag. > See below. > I got perfect answers from both Fraser and you. Thanks a lot. As I initially thought, a FreeIPA ( or Dogtag with less features....(?)) is still the best idea. But our (MS) AD/PKI admins had some doubts, and were convinced you have to deploy subCA CA certificates to clients. To conclude: - it is much simpler for our team to setup FreeIPA CA services as a subCA also because we don't need to create and secure and offline CA in that case. - we don't need to distribute certs to windows clients - the rootCA (AD PKI) can always revoke our subCA when there is a problem/breach. Correct? -- Pieter
_______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
