[Freeipa-users] Certificate Issues

[Simo Sorce]

On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:
> This is a followup to some previous discussions.  I have been lobbying to keep 
> (and fix) the ability to install your own certificates when configuring IPA in 
> order to make use of wildcard SSL certificates.  But it seems this will not be 
> the case.  My last post on this went unanswered and I see tickets for the 
> removal going forward.
> 
> As I understand it though, I'll still be able to generate a CSR for the server 
> and get it signed by and external CA?  If this is the case, I guess this extra 
> expense of individual SSL certificates for the various IPA servers could be 
> acceptable, although unfortunate as this is what we had hoped to avoid with 
> the wildcard cert.
> 
> Finally, there was mention of the possibility of getting the IPA CA signed by 
> an external authority.  Just to let everyone know, this is a very expensive 
> proposition.  I was quoted a $22,500 start fee plus licensing costs.  This is 
> *way* out of our (and I suspect many other small businesses) price range.

Why would you need to get your CA signed by a public authority ?

When we say external we generally think of another "Internal CA" that
you already use for your own services.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York