Re: [Freeipa-users] FreeIPA vs DogTag CA

2016-08-17 Thread Fraser Tweedale 
On Wed, Aug 17, 2016 at 10:52:53AM +0530, Kaamel Periora wrote:
> Thanks.
> 
> One last question :)
> 
> Will that be feasible to have all the systems (CA, RA, OCSP) on top of
> fedora and upgrade the OS as well as CS with the latest ones time to time.
> This should not affect the exiting data or configuration. With Fedora this
> seems to be a must.
> 
It is feasible, and if you want to stay on supported releases you
will need to do it more frequently on Fedora than on RHEL or CentOS,
because Fedora evolves faster and orphans old releases more eagerly.
Your choice depends on your organisation's technical requirements
and risk appetite ;)

Thanks,
Fraser

> On Tue, Aug 16, 2016 at 5:25 PM, Fraser Tweedale 
> wrote:
> 
> > On Tue, Aug 16, 2016 at 04:29:02PM +0530, Kaamel Periora wrote:
> > > Thanks Fraser.
> > >
> > > So basically i can rule out FreeIPA and go ahead with DogTag.
> > >
> > > According to our security requirements, it is not wise to let the genral
> > > public access to the OCSP service running on the CA. I suppose having an
> > > OCSP over Fedora while the others run on CentOS would do.
> > >
> > Sure, you can deploy it that way.  I do not know of anyone who has
> > done so but it should work.
> >
> > > how about RA, can i have it over CentOS?
> > >
> > We no longer have a separate RA subsystem.  RA capabilities are
> > conceptually part of the CA subsystem now.
> >
> > > On Tue, Aug 16, 2016 at 3:04 PM, Fraser Tweedale 
> > > wrote:
> > >
> > > > On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote:
> > > > > Thanks Rob and Fraser, appreciate your time in replying.
> > > > >
> > > > > Currently we are not using FreeIPA but dogtag 9 as an standalone
> > system
> > > > > with RA and OCSP as well.
> > > > >
> > > > > We thought of migrating to the FreeIPA after looking at the the ease
> > of
> > > > > management and excellent support community behind.
> > > > >
> > > > > We require SSL/TLS server certificates and user certificates as well.
> > > > >
> > > > > Currently our major issue is the continuous changes (not stable) in
> > the
> > > > > underlying OS which is Fedora. If we proceed with Dogtag over CentOS
> > or
> > > > > RedHat, will that suffice the stability requirements while
> > delivering the
> > > > > same level of integration with Fedora?
> > > > >
> > > > > your opinion is much appreciated.
> > > > >
> > > > > Kaamel
> > > > >
> > > > FreeIPA and Dogtag are both available in RHEL and CentOS, so you can
> > > > have FreeIPA's ease of management on a less rapidly-evolving
> > > > platform.
> > > >
> > > > Caveat: the standalone OCSP subsystem is not supported on RHEL, but
> > > > the CA subsystem has an inbuilt OCSP responder which may suffice.
> > > >
> > > > Thanks,
> > > > Fraser
> > > >
> > > > > On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale <
> > ftwee...@redhat.com>
> > > > > wrote:
> > > > >
> > > > > > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> > > > > > > Kamal Perera wrote:
> > > > > > > > Dear all,
> > > > > > > >
> > > > > > > > Seeking your kind advices.
> > > > > > > >
> > > > > > > > If the requirement is for having a scalable corporate CA only,
> > is
> > > > it
> > > > > > > > possible to get this requirement fulfilled with DogTag only, or
> > > > install
> > > > > > > > FreeIPA and use the CA functionality only.
> > > > > > >
> > > > > > > IPA limits dogtag to only those features it is interested in.
> > This
> > > > has
> > > > > > been
> > > > > > > expanding recently but you still lose some functionality.
> > > > > > >
> > > > > > > IMHO if all you want is a CA then managing IPA is overkill.
> > > > > > >
> > > > > > > > What are the functional differences and support limitations?
> > > > > > >
> > > > > > > Functionally it depends on what version of IPA you're talking
> > about.
> > > > > > Older
> > > > > > > versions only exposed server certificates. Newer versions support
> > > > user
> > > > > > > certifications, custom profiles and more. It is still just a
> > subset
> > > > of
> > > > > > what
> > > > > > > dogtag supports.
> > > > > > >
> > > > > > > Support from whom? The dogtag community is happy to help (they've
> > > > always
> > > > > > > helped us).
> > > > > > >
> > > > > > There are lots of questions that can help you decide which path to
> > > > > > take: what kinds of certs do you want to issue; to what entities;
> > > > > > who will issue them; are you already using FreeIPA in your
> > > > > > organisation?
> > > > > >
> > > > > > In regards to functional differences, Dogtag CA and KRA are
> > > > > > supported with FreeIPA; token processing and standalone OCSP are
> > > > > > not.  I disagree somewhat with Rob in that unless you need those
> > > > > > other Dogtag subsystems, I see little disadvantage in using
> > FreeIPA.
> > > > > > It definitely makes deploying the CA easier and managing renewals
> > > > > > easier.
> > > > > >
> > > > > > The more you tell us

Re: [Freeipa-users] FreeIPA vs DogTag CA

2016-08-16 Thread Kaamel Periora 
Thanks.

One last question :)

Will that be feasible to have all the systems (CA, RA, OCSP) on top of
fedora and upgrade the OS as well as CS with the latest ones time to time.
This should not affect the exiting data or configuration. With Fedora this
seems to be a must.

On Tue, Aug 16, 2016 at 5:25 PM, Fraser Tweedale 
wrote:

> On Tue, Aug 16, 2016 at 04:29:02PM +0530, Kaamel Periora wrote:
> > Thanks Fraser.
> >
> > So basically i can rule out FreeIPA and go ahead with DogTag.
> >
> > According to our security requirements, it is not wise to let the genral
> > public access to the OCSP service running on the CA. I suppose having an
> > OCSP over Fedora while the others run on CentOS would do.
> >
> Sure, you can deploy it that way.  I do not know of anyone who has
> done so but it should work.
>
> > how about RA, can i have it over CentOS?
> >
> We no longer have a separate RA subsystem.  RA capabilities are
> conceptually part of the CA subsystem now.
>
> > On Tue, Aug 16, 2016 at 3:04 PM, Fraser Tweedale 
> > wrote:
> >
> > > On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote:
> > > > Thanks Rob and Fraser, appreciate your time in replying.
> > > >
> > > > Currently we are not using FreeIPA but dogtag 9 as an standalone
> system
> > > > with RA and OCSP as well.
> > > >
> > > > We thought of migrating to the FreeIPA after looking at the the ease
> of
> > > > management and excellent support community behind.
> > > >
> > > > We require SSL/TLS server certificates and user certificates as well.
> > > >
> > > > Currently our major issue is the continuous changes (not stable) in
> the
> > > > underlying OS which is Fedora. If we proceed with Dogtag over CentOS
> or
> > > > RedHat, will that suffice the stability requirements while
> delivering the
> > > > same level of integration with Fedora?
> > > >
> > > > your opinion is much appreciated.
> > > >
> > > > Kaamel
> > > >
> > > FreeIPA and Dogtag are both available in RHEL and CentOS, so you can
> > > have FreeIPA's ease of management on a less rapidly-evolving
> > > platform.
> > >
> > > Caveat: the standalone OCSP subsystem is not supported on RHEL, but
> > > the CA subsystem has an inbuilt OCSP responder which may suffice.
> > >
> > > Thanks,
> > > Fraser
> > >
> > > > On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale <
> ftwee...@redhat.com>
> > > > wrote:
> > > >
> > > > > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> > > > > > Kamal Perera wrote:
> > > > > > > Dear all,
> > > > > > >
> > > > > > > Seeking your kind advices.
> > > > > > >
> > > > > > > If the requirement is for having a scalable corporate CA only,
> is
> > > it
> > > > > > > possible to get this requirement fulfilled with DogTag only, or
> > > install
> > > > > > > FreeIPA and use the CA functionality only.
> > > > > >
> > > > > > IPA limits dogtag to only those features it is interested in.
> This
> > > has
> > > > > been
> > > > > > expanding recently but you still lose some functionality.
> > > > > >
> > > > > > IMHO if all you want is a CA then managing IPA is overkill.
> > > > > >
> > > > > > > What are the functional differences and support limitations?
> > > > > >
> > > > > > Functionally it depends on what version of IPA you're talking
> about.
> > > > > Older
> > > > > > versions only exposed server certificates. Newer versions support
> > > user
> > > > > > certifications, custom profiles and more. It is still just a
> subset
> > > of
> > > > > what
> > > > > > dogtag supports.
> > > > > >
> > > > > > Support from whom? The dogtag community is happy to help (they've
> > > always
> > > > > > helped us).
> > > > > >
> > > > > There are lots of questions that can help you decide which path to
> > > > > take: what kinds of certs do you want to issue; to what entities;
> > > > > who will issue them; are you already using FreeIPA in your
> > > > > organisation?
> > > > >
> > > > > In regards to functional differences, Dogtag CA and KRA are
> > > > > supported with FreeIPA; token processing and standalone OCSP are
> > > > > not.  I disagree somewhat with Rob in that unless you need those
> > > > > other Dogtag subsystems, I see little disadvantage in using
> FreeIPA.
> > > > > It definitely makes deploying the CA easier and managing renewals
> > > > > easier.
> > > > >
> > > > > The more you tell us of your requirements, the more we can help :)
> > > > >
> > > > > Thanks,
> > > > > Fraser
> > > > >
> > >
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA vs DogTag CA

2016-08-16 Thread Fraser Tweedale 
On Tue, Aug 16, 2016 at 04:29:02PM +0530, Kaamel Periora wrote:
> Thanks Fraser.
> 
> So basically i can rule out FreeIPA and go ahead with DogTag.
> 
> According to our security requirements, it is not wise to let the genral
> public access to the OCSP service running on the CA. I suppose having an
> OCSP over Fedora while the others run on CentOS would do.
> 
Sure, you can deploy it that way.  I do not know of anyone who has
done so but it should work.

> how about RA, can i have it over CentOS?
> 
We no longer have a separate RA subsystem.  RA capabilities are
conceptually part of the CA subsystem now.

> On Tue, Aug 16, 2016 at 3:04 PM, Fraser Tweedale 
> wrote:
> 
> > On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote:
> > > Thanks Rob and Fraser, appreciate your time in replying.
> > >
> > > Currently we are not using FreeIPA but dogtag 9 as an standalone system
> > > with RA and OCSP as well.
> > >
> > > We thought of migrating to the FreeIPA after looking at the the ease of
> > > management and excellent support community behind.
> > >
> > > We require SSL/TLS server certificates and user certificates as well.
> > >
> > > Currently our major issue is the continuous changes (not stable) in the
> > > underlying OS which is Fedora. If we proceed with Dogtag over CentOS or
> > > RedHat, will that suffice the stability requirements while delivering the
> > > same level of integration with Fedora?
> > >
> > > your opinion is much appreciated.
> > >
> > > Kaamel
> > >
> > FreeIPA and Dogtag are both available in RHEL and CentOS, so you can
> > have FreeIPA's ease of management on a less rapidly-evolving
> > platform.
> >
> > Caveat: the standalone OCSP subsystem is not supported on RHEL, but
> > the CA subsystem has an inbuilt OCSP responder which may suffice.
> >
> > Thanks,
> > Fraser
> >
> > > On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale 
> > > wrote:
> > >
> > > > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> > > > > Kamal Perera wrote:
> > > > > > Dear all,
> > > > > >
> > > > > > Seeking your kind advices.
> > > > > >
> > > > > > If the requirement is for having a scalable corporate CA only, is
> > it
> > > > > > possible to get this requirement fulfilled with DogTag only, or
> > install
> > > > > > FreeIPA and use the CA functionality only.
> > > > >
> > > > > IPA limits dogtag to only those features it is interested in. This
> > has
> > > > been
> > > > > expanding recently but you still lose some functionality.
> > > > >
> > > > > IMHO if all you want is a CA then managing IPA is overkill.
> > > > >
> > > > > > What are the functional differences and support limitations?
> > > > >
> > > > > Functionally it depends on what version of IPA you're talking about.
> > > > Older
> > > > > versions only exposed server certificates. Newer versions support
> > user
> > > > > certifications, custom profiles and more. It is still just a subset
> > of
> > > > what
> > > > > dogtag supports.
> > > > >
> > > > > Support from whom? The dogtag community is happy to help (they've
> > always
> > > > > helped us).
> > > > >
> > > > There are lots of questions that can help you decide which path to
> > > > take: what kinds of certs do you want to issue; to what entities;
> > > > who will issue them; are you already using FreeIPA in your
> > > > organisation?
> > > >
> > > > In regards to functional differences, Dogtag CA and KRA are
> > > > supported with FreeIPA; token processing and standalone OCSP are
> > > > not.  I disagree somewhat with Rob in that unless you need those
> > > > other Dogtag subsystems, I see little disadvantage in using FreeIPA.
> > > > It definitely makes deploying the CA easier and managing renewals
> > > > easier.
> > > >
> > > > The more you tell us of your requirements, the more we can help :)
> > > >
> > > > Thanks,
> > > > Fraser
> > > >
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA vs DogTag CA

2016-08-16 Thread Kaamel Periora 
Thanks Fraser.

So basically i can rule out FreeIPA and go ahead with DogTag.

According to our security requirements, it is not wise to let the genral
public access to the OCSP service running on the CA. I suppose having an
OCSP over Fedora while the others run on CentOS would do.

how about RA, can i have it over CentOS?

On Tue, Aug 16, 2016 at 3:04 PM, Fraser Tweedale 
wrote:

> On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote:
> > Thanks Rob and Fraser, appreciate your time in replying.
> >
> > Currently we are not using FreeIPA but dogtag 9 as an standalone system
> > with RA and OCSP as well.
> >
> > We thought of migrating to the FreeIPA after looking at the the ease of
> > management and excellent support community behind.
> >
> > We require SSL/TLS server certificates and user certificates as well.
> >
> > Currently our major issue is the continuous changes (not stable) in the
> > underlying OS which is Fedora. If we proceed with Dogtag over CentOS or
> > RedHat, will that suffice the stability requirements while delivering the
> > same level of integration with Fedora?
> >
> > your opinion is much appreciated.
> >
> > Kaamel
> >
> FreeIPA and Dogtag are both available in RHEL and CentOS, so you can
> have FreeIPA's ease of management on a less rapidly-evolving
> platform.
>
> Caveat: the standalone OCSP subsystem is not supported on RHEL, but
> the CA subsystem has an inbuilt OCSP responder which may suffice.
>
> Thanks,
> Fraser
>
> > On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale 
> > wrote:
> >
> > > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> > > > Kamal Perera wrote:
> > > > > Dear all,
> > > > >
> > > > > Seeking your kind advices.
> > > > >
> > > > > If the requirement is for having a scalable corporate CA only, is
> it
> > > > > possible to get this requirement fulfilled with DogTag only, or
> install
> > > > > FreeIPA and use the CA functionality only.
> > > >
> > > > IPA limits dogtag to only those features it is interested in. This
> has
> > > been
> > > > expanding recently but you still lose some functionality.
> > > >
> > > > IMHO if all you want is a CA then managing IPA is overkill.
> > > >
> > > > > What are the functional differences and support limitations?
> > > >
> > > > Functionally it depends on what version of IPA you're talking about.
> > > Older
> > > > versions only exposed server certificates. Newer versions support
> user
> > > > certifications, custom profiles and more. It is still just a subset
> of
> > > what
> > > > dogtag supports.
> > > >
> > > > Support from whom? The dogtag community is happy to help (they've
> always
> > > > helped us).
> > > >
> > > There are lots of questions that can help you decide which path to
> > > take: what kinds of certs do you want to issue; to what entities;
> > > who will issue them; are you already using FreeIPA in your
> > > organisation?
> > >
> > > In regards to functional differences, Dogtag CA and KRA are
> > > supported with FreeIPA; token processing and standalone OCSP are
> > > not.  I disagree somewhat with Rob in that unless you need those
> > > other Dogtag subsystems, I see little disadvantage in using FreeIPA.
> > > It definitely makes deploying the CA easier and managing renewals
> > > easier.
> > >
> > > The more you tell us of your requirements, the more we can help :)
> > >
> > > Thanks,
> > > Fraser
> > >
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA vs DogTag CA

2016-08-16 Thread Fraser Tweedale 
On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote:
> Thanks Rob and Fraser, appreciate your time in replying.
> 
> Currently we are not using FreeIPA but dogtag 9 as an standalone system
> with RA and OCSP as well.
> 
> We thought of migrating to the FreeIPA after looking at the the ease of
> management and excellent support community behind.
> 
> We require SSL/TLS server certificates and user certificates as well.
> 
> Currently our major issue is the continuous changes (not stable) in the
> underlying OS which is Fedora. If we proceed with Dogtag over CentOS or
> RedHat, will that suffice the stability requirements while delivering the
> same level of integration with Fedora?
> 
> your opinion is much appreciated.
> 
> Kaamel
> 
FreeIPA and Dogtag are both available in RHEL and CentOS, so you can
have FreeIPA's ease of management on a less rapidly-evolving
platform.

Caveat: the standalone OCSP subsystem is not supported on RHEL, but
the CA subsystem has an inbuilt OCSP responder which may suffice.

Thanks,
Fraser

> On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale 
> wrote:
> 
> > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> > > Kamal Perera wrote:
> > > > Dear all,
> > > >
> > > > Seeking your kind advices.
> > > >
> > > > If the requirement is for having a scalable corporate CA only, is it
> > > > possible to get this requirement fulfilled with DogTag only, or install
> > > > FreeIPA and use the CA functionality only.
> > >
> > > IPA limits dogtag to only those features it is interested in. This has
> > been
> > > expanding recently but you still lose some functionality.
> > >
> > > IMHO if all you want is a CA then managing IPA is overkill.
> > >
> > > > What are the functional differences and support limitations?
> > >
> > > Functionally it depends on what version of IPA you're talking about.
> > Older
> > > versions only exposed server certificates. Newer versions support user
> > > certifications, custom profiles and more. It is still just a subset of
> > what
> > > dogtag supports.
> > >
> > > Support from whom? The dogtag community is happy to help (they've always
> > > helped us).
> > >
> > There are lots of questions that can help you decide which path to
> > take: what kinds of certs do you want to issue; to what entities;
> > who will issue them; are you already using FreeIPA in your
> > organisation?
> >
> > In regards to functional differences, Dogtag CA and KRA are
> > supported with FreeIPA; token processing and standalone OCSP are
> > not.  I disagree somewhat with Rob in that unless you need those
> > other Dogtag subsystems, I see little disadvantage in using FreeIPA.
> > It definitely makes deploying the CA easier and managing renewals
> > easier.
> >
> > The more you tell us of your requirements, the more we can help :)
> >
> > Thanks,
> > Fraser
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA vs DogTag CA

2016-08-16 Thread Kaamel Periora 
Thanks Rob and Fraser, appreciate your time in replying.

Currently we are not using FreeIPA but dogtag 9 as an standalone system
with RA and OCSP as well.

We thought of migrating to the FreeIPA after looking at the the ease of
management and excellent support community behind.

We require SSL/TLS server certificates and user certificates as well.

Currently our major issue is the continuous changes (not stable) in the
underlying OS which is Fedora. If we proceed with Dogtag over CentOS or
RedHat, will that suffice the stability requirements while delivering the
same level of integration with Fedora?

your opinion is much appreciated.

Kaamel

On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale 
wrote:

> On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> > Kamal Perera wrote:
> > > Dear all,
> > >
> > > Seeking your kind advices.
> > >
> > > If the requirement is for having a scalable corporate CA only, is it
> > > possible to get this requirement fulfilled with DogTag only, or install
> > > FreeIPA and use the CA functionality only.
> >
> > IPA limits dogtag to only those features it is interested in. This has
> been
> > expanding recently but you still lose some functionality.
> >
> > IMHO if all you want is a CA then managing IPA is overkill.
> >
> > > What are the functional differences and support limitations?
> >
> > Functionally it depends on what version of IPA you're talking about.
> Older
> > versions only exposed server certificates. Newer versions support user
> > certifications, custom profiles and more. It is still just a subset of
> what
> > dogtag supports.
> >
> > Support from whom? The dogtag community is happy to help (they've always
> > helped us).
> >
> There are lots of questions that can help you decide which path to
> take: what kinds of certs do you want to issue; to what entities;
> who will issue them; are you already using FreeIPA in your
> organisation?
>
> In regards to functional differences, Dogtag CA and KRA are
> supported with FreeIPA; token processing and standalone OCSP are
> not.  I disagree somewhat with Rob in that unless you need those
> other Dogtag subsystems, I see little disadvantage in using FreeIPA.
> It definitely makes deploying the CA easier and managing renewals
> easier.
>
> The more you tell us of your requirements, the more we can help :)
>
> Thanks,
> Fraser
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA vs DogTag CA

2016-08-11 Thread Fraser Tweedale 
On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> Kamal Perera wrote:
> > Dear all,
> > 
> > Seeking your kind advices.
> > 
> > If the requirement is for having a scalable corporate CA only, is it
> > possible to get this requirement fulfilled with DogTag only, or install
> > FreeIPA and use the CA functionality only.
> 
> IPA limits dogtag to only those features it is interested in. This has been
> expanding recently but you still lose some functionality.
> 
> IMHO if all you want is a CA then managing IPA is overkill.
> 
> > What are the functional differences and support limitations?
> 
> Functionally it depends on what version of IPA you're talking about. Older
> versions only exposed server certificates. Newer versions support user
> certifications, custom profiles and more. It is still just a subset of what
> dogtag supports.
> 
> Support from whom? The dogtag community is happy to help (they've always
> helped us).
> 
There are lots of questions that can help you decide which path to
take: what kinds of certs do you want to issue; to what entities;
who will issue them; are you already using FreeIPA in your
organisation?

In regards to functional differences, Dogtag CA and KRA are
supported with FreeIPA; token processing and standalone OCSP are
not.  I disagree somewhat with Rob in that unless you need those
other Dogtag subsystems, I see little disadvantage in using FreeIPA.
It definitely makes deploying the CA easier and managing renewals
easier.

The more you tell us of your requirements, the more we can help :)

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA vs DogTag CA

2016-08-11 Thread Rob Crittenden 

Kamal Perera wrote:

Dear all,

Seeking your kind advices.

If the requirement is for having a scalable corporate CA only, is it
possible to get this requirement fulfilled with DogTag only, or install
FreeIPA and use the CA functionality only.


IPA limits dogtag to only those features it is interested in. This has 
been expanding recently but you still lose some functionality.


IMHO if all you want is a CA then managing IPA is overkill.


What are the functional differences and support limitations?


Functionally it depends on what version of IPA you're talking about. 
Older versions only exposed server certificates. Newer versions support 
user certifications, custom profiles and more. It is still just a subset 
of what dogtag supports.


Support from whom? The dogtag community is happy to help (they've always 
helped us).


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA vs DogTag CA

2016-08-10 Thread Kamal Perera 
Dear all,

Seeking your kind advices.

If the requirement is for having a scalable corporate CA only, is it
possible to get this requirement fulfilled with DogTag only, or install
FreeIPA and use the CA functionality only.

What are the functional differences and support limitations?

Thanks
Kaamel
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project