[Freeipa-devel] [RFE] CA-less install

[Rob Crittenden]

Dmitri Pal wrote:
> On 03/22/2013 08:10 AM, Petr Viktorin wrote:
>> The design page for CA-less installation with user-provided SSL certs
>> is available at http://freeipa.org/page/V3/CA-less_install. I've also
>> copied it to this mail.
>>
>> Does it answer all your questions?
>>
> Petr,
>
> It answers a lot of questions.
> However isn't the whole goal to be able to use external CA we do not
> have control of as a part of the trust chain?
>
> I might very well confuse things so bear with me.
>
> Say I have a public CA X I want to use as the root of my trust chain so
> that I do not need to distribute certificates to all my clients.
> I can't create a sub CA using externa-ca because it will cost me a lot
> of money.
>
> But I can create a PKI pair for just two servers (HTTP and DS) much
> cheaper. Is this the assumption?
> Is this really how this works? Is it really easy to get a CRS signed by
> a public CA X?

Yes, it really can be that easy. Most of the requests in this area have 
involved using wildcard certs which are slightly more complex to get, 
but you can get free SSL server certs from StartSSL in less than 30 
minutes (providing you can prove you manage the domain you're requesting 
certs for).

I imagine that most will use the same cert for both services, rather 
than getting separate certs.

> Other comments: what are the implications on the certmonger and cert
> rotation. I assume certmonger will be turn off. It should then be
> documented that we will not track or warn about the cert expiration.

Right, we won't be able to leverage certmonger. Users will be on their 
own to handle renewal.

> In future for the KDC pkinit support we will need yet another cert for
> the KDC, you do nto need to implement it now but please consider this in
> the design.

This is a grey area. I don't know if the public CAs will issue this kind 
of cert. A survey would be required to find out.

rob