[Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA

Fri Apr 27 19:15:08 UTC 2012

On 04/27/2012 03:05 PM, David Copperfield wrote:
> >From: Dmitri Pal <dpal at redhat.com>
> >>
> >
> >Let us teake one a time.
> >Dogtag is the certificate system.
> >Web services and many other servers use certificates for SSL/TLS
> peer-to-peer confidentiality and authentication.
> >The certificates needs to be issued so IPA can issue certs for those
> services in your environment.
> >There is a client component called certmonger. Certmonger can track
> the expiration of the certs and connects to IPA automatically to
> acquire a new cert.>There will be more certificate related features
> over time. They would include support of pkinit, issuance and
> management of the user certificates and many others.
> >Some of the work started but not complete, this why you might notice
> pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file.
> >>>Hope it clarifies things.
> >
> Thanks. That's pretty clear. certmonger and Dogtag could be a very
> useful combination.
> For my case, where internal/outside company web servers already have
> external certified 3-year wildcard certificates, and IPA/LDAP servers
> have the dogtag/certmonger installed for them, maybe I can put off
> installing host certificates and certmonger services on other IPA
> clients to save a few CPU cycles now?
>
Up to you.

> Sure I can turn certmonger on and create host certificates anytime as
> long as needs pop up later.>
> >What is the reason for manually configuring the client?
>
> The main purposes here is company policy. we use central config
> management systems to push out config files and etc. Basically we did
> it for seperate Kerberos and LDAP solutions, and not it is required to
> do that for IPA solution as well. Another benefit is, as long as I
> know how to do it manually, hen in case the compo script
> ipa-client-install is a overkill, I can do subcomponent only.

May be it would be helpful to share your experience on a IPA wiki page
for others for follow with the similar use cases? Do you have something
that I can post there?

If you found anything missing in the documentation please file a BZ or
ticket in upstream trac.

>
> Thanks.
>
> --David

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120427/d6b22d3c/attachment.htm>