[Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority?
Marco Pizzoli
marco.pizzoli at gmail.com
Mon Feb 13 17:43:39 UTC 2012
Hi Adam,
On Mon, Feb 13, 2012 at 5:58 PM, Adam Young <ayoung at redhat.com> wrote:
> On 02/12/2012 04:00 PM, Marco Pizzoli wrote:
>
> Hi,
> I see DogTag PKI used as a certificate server for the enrollment of hosts
> and services.
> What about the enrollment of normal X509v3 certificates? I have not seen,
> correct me if I'm wrong, any reference to the possibility to use it as a
> regular CA for user certificates. Not within FreeIPA, of course.
>
> Is there any drawback in using it as the primary CA for the company?
>
>
> It is a full CA. You can use it as such. Dogtag is a vibrant project in
> its own right, and you can find developers on #dogtag-pki in Freenode.
> The install is done via pkisilent, and you might want to make sure that
> you understand the parameters used to call it.
>
I will. Thanks for the pointer.
> One major drawback is that IPA has disabled Nonces in the Dogtag backend.
> These are there to defend against a CSRF attack. What this means is that
> you should not expose the Dogtag WebUI through the IPA server, either on
> its Dogtag port or via HTTP proxy. It should be explicitly stated that IPA
> implements Nonces for its web UI, and does not allow session based calls
> through to the Dogtag back end, so its configuration is secure. The
> problem is only exposed if you expose additional web URLs to the Dogtag
> backend beyond those specified in the PKI Proxy.
>
> Enabling nonces will break IPA.
>
You told me something I wasn't aware of. I will dig into this during next
weeks.
> I've installed and used the standard Java tools for Dogtag and used them
> to talk to the PKI backend installed by IPA. They work fine.
>
Ok, this is what I hoped to read! :-)
Currently, IPA acts as a single Agent in Dogtag. This should be fine.
> For other certificate usage, you should probably use a different agent.
>
Please be patient with me, I don't understand yet the concept of "agent".
Even a reference to the documentation would be helpful to me.
> IPA does not currently support user certificates. However, there are
> standard LDAP object classes and attributes that you could conceivably use
> to record them if you wanted to keep them in a single DirSrv. Obviosuly,
> you do not want to put the private keys on the IPA server, so plan
> accordingly.
>
I will, I promise :-)
> Red Hat does not support using the Certificate Server (PKI) backend with
> its Identity management install for purposes other than support for the IdM
> (IPA) front end, so beware that you have no "up sell" if you desire to get
> paid support for IPA.
>
I understand.
I link a question I'm curious of: if I remember correctly, on the PKI-user
mailing list I read a user complaining about RH not selling RHCS standalone
anymore. Is it true?
You've been very helpful! Your blog too.. :-)
Thanks a lot!
Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120213/fdd9b7da/attachment.htm>
More information about the Freeipa-users
mailing list