[Freeipa-devel] [RFE] CA-less install
Dmitri Pal
dpal at redhat.com
Fri Mar 22 12:32:12 UTC 2013
On 03/22/2013 08:10 AM, Petr Viktorin wrote:
> The design page for CA-less installation with user-provided SSL certs
> is available at http://freeipa.org/page/V3/CA-less_install. I've also
> copied it to this mail.
>
> Does it answer all your questions?
>
Petr,
It answers a lot of questions.
However isn't the whole goal to be able to use external CA we do not
have control of as a part of the trust chain?
I might very well confuse things so bear with me.
Say I have a public CA X I want to use as the root of my trust chain so
that I do not need to distribute certificates to all my clients.
I can't create a sub CA using externa-ca because it will cost me a lot
of money.
But I can create a PKI pair for just two servers (HTTP and DS) much
cheaper. Is this the assumption?
Is this really how this works? Is it really easy to get a CRS signed by
a public CA X?
Other comments: what are the implications on the certmonger and cert
rotation. I assume certmonger will be turn off. It should then be
documented that we will not track or warn about the cert expiration.
In future for the KDC pkinit support we will need yet another cert for
the KDC, you do nto need to implement it now but please consider this in
the design.
Page misses you as an author.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list