<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
It's unclear from what's described to have the whole context to
answer your specific questions, but I can answer the question
regarding Dogtag. See below.<br>
<br>
<div class="moz-cite-prefix">On 05/02/2017 02:45 AM, Pieter Baele
wrote:<br>
</div>
<blockquote
cite="mid:CADDXySr8N+HJ2x=MFNK3=7E7+_tUnot8sS-ZWF7sOip2uO2FZg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="color:rgb(33,33,33);font-size:13px">We will start
setting up IDM/FreeIPA for a specific linux subdomain in our
enterprise.</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">But how can we
best integrate Dogtag with the enterprise CA infrastructure
(MS Certificate Services)?</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">Option 1: Dogtag
as the rootCA (?)</div>
<div style="color:rgb(33,33,33);font-size:13px">We can use
FreeIPA for all certificates where we need to encrypt
end-to-end communication between servers (as example)<br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">And websites by
external CA's or the the enterprise CA infrastructure for
which the issuing subca's are published to all cleints... </div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">What about the
principle of an offline rootCA in that case? Is that possible
with Dogtag?<br>
</div>
</div>
</blockquote>
Offline rootCA is actually what we'd recommend for large secure
deployment sites, where you would setup a Dogtag root CA and issue
one or more subordinate CA's. I think you could also set up an OCSP
subsystem that's paired up with the root CA to serve revocation
information once you bring the root CA offline.<br>
You would only need to bring up the rootCA when you need to install
more subordinate CA's or revoke one.<br>
<br>
<blockquote
cite="mid:CADDXySr8N+HJ2x=MFNK3=7E7+_tUnot8sS-ZWF7sOip2uO2FZg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">Option 2: Dogtag
(RH IDM) as a subordinate CA of MS CA.</div>
<div style="color:rgb(33,33,33);font-size:13px">Is there a
specific reason that a subordinate CA is a better idea?<br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">Our PKI
administrator's do not really like an additional subCA,
because it is difficult to limit exposure/risks?</div>
<div style="color:rgb(33,33,33);font-size:13px">We still need to
publish the subca to clients?</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">What's your
opinion: rootCA, or subordinate CA signed by the existing MS
Certificate Services PKI?</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">-- Pieter</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</body>
</html>