[Freeipa-users] Certificate Issues
Rob Crittenden
rcritten at redhat.com
Tue Feb 19 22:42:41 UTC 2013
Orion Poplawski wrote:
> On 02/19/2013 03:10 PM, Simo Sorce wrote:
>> On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:
>>> This is a followup to some previous discussions. I have been
>>> lobbying to keep
>>> (and fix) the ability to install your own certificates when
>>> configuring IPA in
>>> order to make use of wildcard SSL certificates. But it seems this
>>> will not be
>>> the case. My last post on this went unanswered and I see tickets for
>>> the
>>> removal going forward.
>>>
>>> As I understand it though, I'll still be able to generate a CSR for
>>> the server
>>> and get it signed by and external CA? If this is the case, I guess
>>> this extra
>>> expense of individual SSL certificates for the various IPA servers
>>> could be
>>> acceptable, although unfortunate as this is what we had hoped to
>>> avoid with
>>> the wildcard cert.
>>>
>>> Finally, there was mention of the possibility of getting the IPA CA
>>> signed by
>>> an external authority. Just to let everyone know, this is a very
>>> expensive
>>> proposition. I was quoted a $22,500 start fee plus licensing costs.
>>> This is
>>> *way* out of our (and I suspect many other small businesses) price
>>> range.
>>
>> Why would you need to get your CA signed by a public authority ?
>>
>> When we say external we generally think of another "Internal CA" that
>> you already use for your own services.
>>
>> Simo.
>>
>>
> https://www.redhat.com/archives/freeipa-users/2013-January/msg00216.html
>
The problems with this are:
- Only a very small handful of people actually use this (or used it).
- We don't test this (obviously) and there are a lot of bugs and corner
cases
- Even if we do fix it, we likely still won't test it very often,
leading to more woes
- This will blow up at cert renewal time
- There is still an underlying CA hidden in there, doing nothing (but
perhaps cause problems)
- If you want to support FF < 15 you need an object signing cert too to
sign the auto-configure jar
A far better solution than replacing the certificates post-install is to
have an option to have a CA-less IPA installation. I doubt we'd actively
work on adding such an option. But it would likely be a lot more robust
than changing things after-the-fact.
rob
More information about the Freeipa-users
mailing list