[Freeipa-devel] [rhcs-dev-list] IPA as a subordinate CA issuer

[Adam Young]

On 09/02/2011 12:46 PM, Andrew Wnuk wrote:
> On 09/02/2011 06:05 AM, Rob Crittenden wrote:
>> The rhev-m team is trying to integrate IPA into their installs. They 
>> currently use SSL as well and we're battling over the Apache 
>> certificate (there can be only one).
>>
>> One option that came up is if they install IPA first if we can issue 
>> them a subordinate CA then they can do their own thing without 
>> changing too much of their code.
>>
>> I know dogtag can do this but I have no doubt that it currently 
>> requires human intervention. Is it possible to write a profile to 
>> have the IPA RA issue a subordinate CA cert automatically (as 
>> dangerous as that is)?
>>
>> rob
>>
>
> Although we agree that this practice should be avoided, Dogtag can be 
> configured to issue subordinate CA certificates automatically. 
> However, certificate request parametrization may need to be provided 
> if we want to issue different certificates for services and sub-CAs. 
> This assumes IPA has the ability to authenticate and authorize rhev-m 
> sub-CA requests properly, and that rhev-m sub-CA functionality is well 
> reviewed so nobody will question certificates issued by rhev-m sub-CAs.
>
> Thank you,
> Andrew
>
Does this even make sense?  Wouldn't we  want to have RHEV-M and IPA use 
the same CA?Do they really need their own?  I can't see that you would 
take an existing CA and later make it a subordinate to a Dogtag CA, so 
really they can use the Dogtrag instance from IPA, and not try to manage 
the CA themselves, OR manage it themselves completely.  I'm guessing 
that, like most of the projects that do some aspect of CA-stuff, they 
have an incomplete solution, probably along the lines of IPA's 
self-signed certs.