On Wed, May 03, 2017 at 10:36:38AM +0000, Pieter Baele wrote: > On Tue, May 2, 2017 at 11:13 PM Christina Fu <[email protected]> wrote: > > > It's unclear from what's described to have the whole context to answer > > your specific questions, but I can answer the question regarding Dogtag. > > See below. > > > > I got perfect answers from both Fraser and you. Thanks a lot. > > As I initially thought, a FreeIPA ( or Dogtag with less features....(?)) is > still the best idea. > > But our (MS) AD/PKI admins had some doubts, and were convinced you have to > deploy subCA CA certificates to clients. > > To conclude: > - it is much simpler for our team to setup FreeIPA CA services as a subCA > also because we don't need to create and secure and offline CA in that case. > Yes, creating a sub-CA of the organisation's existing CA avoid this duplicate effort. There may be some good reasons to want a separate root for IDM, but where there is an existing PKI, most organisations choose to chain IDM into it.
> - we don't need to distribute certs to windows clients > That's right. > - the rootCA (AD PKI) can always revoke our subCA when there is a > problem/breach. Correct? > Yes. The usual caveats around CRLs, OCSP etc apply. Cheers, Fraser _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
