[Freeipa-users] DogTag PKI uses ?
Rob Crittenden
rcritten at redhat.com
Thu May 10 20:52:54 UTC 2012
Jan-Frode Myklebust wrote:
> We're finally implementing IPA in our company (migrating from Sun
> Identity Manager populated LDAP + manually maintained netgroups and
> sudoers also in LDAP). I think I understand how to migrate these parts
> to IPA, but the dogtag part is quite foreign currently..
>
> We already has two private PKI infrastructures implemented. One for
> managing user certificates for about 250 openvpn users, and another for
> managing certificates for a few internal web services. Should we look
> into re-using one of these CA's in IPA?
You could install IPA as a subordinate CA of one of them. IPA requires
its own CA.
> I think it would be marvelous if IPA/dogtag could create certs/keys for
> the users, and keep a copy of the users csr's so that it could automatically
> send the user an updated certificate with an expiry matching the password
> lifetime. Is this something that's possible currently, or on the roadmap maybe?
Right now the CA is used only to issue server certificates. We have user
certs on the roadmap but that won't be ready for quite some time (year
or more, realistically).
rob
More information about the Freeipa-users
mailing list