Re: [Freeipa-users] freeipa as organizational CA

2016-05-11 Thread Fraser Tweedale
On Wed, May 11, 2016 at 12:06:39PM +, Andy Thompson wrote: > > Andy, you can install FreeIPA as a sub-CA of your offline root. > > Support for creating sub-CAs *within* FreeIPA, under the "main" > > FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet > > available but I

Re: [Freeipa-users] freeipa as organizational CA

2016-05-11 Thread Alexander Bokovoy
- Original Message - > > > > > >If I can get an exclusion for the sub-CA bits, can that be added at a > > >later time and just run with a root CA for now? Can it perform all of > > >the needs of an org CA outside of an IPA environment? > > Not through the IPA interfaces but standard Dogt

Re: [Freeipa-users] freeipa as organizational CA

2016-05-11 Thread Andy Thompson
> Andy, you can install FreeIPA as a sub-CA of your offline root. > Support for creating sub-CAs *within* FreeIPA, under the "main" > FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet > available but I am working on that. But if you only need one CA as a sub-CA > of an o

Re: [Freeipa-users] freeipa as organizational CA

2016-05-11 Thread Andy Thompson
> > > >If I can get an exclusion for the sub-CA bits, can that be added at a > >later time and just run with a root CA for now? Can it perform all of > >the needs of an org CA outside of an IPA environment? > Not through the IPA interfaces but standard Dogtag is there, with its (albeit > a > bit

Re: [Freeipa-users] freeipa as organizational CA

2016-05-09 Thread Fraser Tweedale
On Mon, May 09, 2016 at 10:23:07PM +0300, Alexander Bokovoy wrote: > On Mon, 09 May 2016, Andy Thompson wrote: > >Is freeipa in RHEL7.2 able to be used as an organizational CA these > >days? I have a requirement to set one up and like the IPA interface > >and tools, but can't sort out the current

Re: [Freeipa-users] freeipa as organizational CA

2016-05-09 Thread Alexander Bokovoy
On Mon, 09 May 2016, Andy Thompson wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Monday, May 9, 2016 3:23 PM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] freeipa as organizational CA On Mon, 09 May 2016, Andy

Re: [Freeipa-users] freeipa as organizational CA

2016-05-09 Thread Andy Thompson
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Monday, May 9, 2016 3:23 PM > To: Andy Thompson > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] freeipa as organizational CA > > On Mon, 09 May 2016, Andy Thompson

Re: [Freeipa-users] freeipa as organizational CA

2016-05-09 Thread Alexander Bokovoy
On Mon, 09 May 2016, Andy Thompson wrote: Is freeipa in RHEL7.2 able to be used as an organizational CA these days? I have a requirement to set one up and like the IPA interface and tools, but can't sort out the current state in 4.2 to decipher whether this is possible, or even reasonable to try