Hi Adam, On Mon, Feb 13, 2012 at 5:58 PM, Adam Young <ayo...@redhat.com> wrote:
> On 02/12/2012 04:00 PM, Marco Pizzoli wrote: > > Hi, > I see DogTag PKI used as a certificate server for the enrollment of hosts > and services. > What about the enrollment of normal X509v3 certificates? I have not seen, > correct me if I'm wrong, any reference to the possibility to use it as a > regular CA for user certificates. Not within FreeIPA, of course. > > Is there any drawback in using it as the primary CA for the company? > > > It is a full CA. You can use it as such. Dogtag is a vibrant project in > its own right, and you can find developers on #dogtag-pki in Freenode. > The install is done via pkisilent, and you might want to make sure that > you understand the parameters used to call it. > I will. Thanks for the pointer. > One major drawback is that IPA has disabled Nonces in the Dogtag backend. > These are there to defend against a CSRF attack. What this means is that > you should not expose the Dogtag WebUI through the IPA server, either on > its Dogtag port or via HTTP proxy. It should be explicitly stated that IPA > implements Nonces for its web UI, and does not allow session based calls > through to the Dogtag back end, so its configuration is secure. The > problem is only exposed if you expose additional web URLs to the Dogtag > backend beyond those specified in the PKI Proxy. > > Enabling nonces will break IPA. > You told me something I wasn't aware of. I will dig into this during next weeks. > I've installed and used the standard Java tools for Dogtag and used them > to talk to the PKI backend installed by IPA. They work fine. > Ok, this is what I hoped to read! :-) Currently, IPA acts as a single Agent in Dogtag. This should be fine. > For other certificate usage, you should probably use a different agent. > Please be patient with me, I don't understand yet the concept of "agent". Even a reference to the documentation would be helpful to me. > IPA does not currently support user certificates. However, there are > standard LDAP object classes and attributes that you could conceivably use > to record them if you wanted to keep them in a single DirSrv. Obviosuly, > you do not want to put the private keys on the IPA server, so plan > accordingly. > I will, I promise :-) > Red Hat does not support using the Certificate Server (PKI) backend with > its Identity management install for purposes other than support for the IdM > (IPA) front end, so beware that you have no "up sell" if you desire to get > paid support for IPA. > I understand. I link a question I'm curious of: if I remember correctly, on the PKI-user mailing list I read a user complaining about RH not selling RHCS standalone anymore. Is it true? You've been very helpful! Your blog too.. :-) Thanks a lot! Marco
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
