<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/13/2015 02:51 PM, Johnny Tan
wrote:<br>
</div>
<blockquote
cite="mid:CABMVzL2S9L07s3FqBg6xvd-UN_cZqezMUqfHqFnhyXxCOanwPA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Fri, Mar 13, 2015 at 2:15 PM,
Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>Rob would definitely know more but IPA mostly
provides certs for the infra it serves and has a
limited use of the certs by itself.<br>
</div>
</span> So here is where I know it is used:<br>
- You can issue certs for hosts and services and
installer used to create certs for host automatically
though these certs are not used for anything and we
decided not to create them automatically any more.<br>
- You need to trust IPA in browser so that you can do a
forms based authentication if you do not have a kerberos
ticket.<br>
- To issue certs we use Dogtag and Dogtag understands
only cert based authentication so internally the
communication between the managment framework and Dogtag
uses SSL. This is actually why the host-del fails. The
host had a cert issued by IPA CA so as part of the del
operation it tries to revoke the cert but since you
reconfigured the sustem to use be CA less it can't and
fails.<br>
<br>
The communication between the LDAP servers is Kerberos
authenticated.</div>
</blockquote>
<div><br>
</div>
<div>I'll wait for Rob to weigh in, but wow, this would
actually be huge for us and probably a lot of other users.
Because if the above is true (and complete, I guess), then
we could actually just run a CA-less FreeIPA setup, and
then generate certs specifically and only for the web
(apache) side, which is easy enough and we do it already
for all other internal web services. That limits
cert-related stuff to just one web SSL cert per IPA
master.</div>
</div>
</div>
</div>
</blockquote>
<br>
This is up to you but that means you would not be able to deal with
SSL for some other use cases down the road.<br>
IPA 4.2 has a lot of new functionality to make it easier to issue
and manage certificates for different use cases like: system
provisioning, VPN, devices, wireless, PaaS/IaaS stacks that use
certs for SSL internally etc. Going CA-less will prevent you from
leveraging these capabilities once you realize they are needed down
the road.<br>
<br>
May be you would not need them but I would encourage you to look at
this in a longer perspective than just immediate needs.<br>
<br>
<br>
<blockquote
cite="mid:CABMVzL2S9L07s3FqBg6xvd-UN_cZqezMUqfHqFnhyXxCOanwPA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">We have a special
tool in Freeipa 4.2 to do this. The manual procedure is
cumbersome and leads to issues like this.</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<br>
And to be correct it is in 4.1 and already released. Sorry for typo.<br>
<blockquote
cite="mid:CABMVzL2S9L07s3FqBg6xvd-UN_cZqezMUqfHqFnhyXxCOanwPA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Yeah, I saw that, but we are still doing 3.0 on
CentOS6.6, which is why we had to go down the manual path.</div>
<div> </div>
<div>Thanks,</div>
<div>johnny</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>