[Freeipa-users] Certificate Issues

Dmitri Pal dpal at redhat.com
Wed Feb 20 02:31:27 UTC 2013 

On 02/19/2013 05:42 PM, Rob Crittenden wrote:
> Orion Poplawski wrote:
>> On 02/19/2013 03:10 PM, Simo Sorce wrote:
>>> On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:
>>>> This is a followup to some previous discussions.  I have been
>>>> lobbying to keep
>>>> (and fix) the ability to install your own certificates when
>>>> configuring IPA in
>>>> order to make use of wildcard SSL certificates.  But it seems this
>>>> will not be
>>>> the case.  My last post on this went unanswered and I see tickets for
>>>> the
>>>> removal going forward.
>>>>
>>>> As I understand it though, I'll still be able to generate a CSR for
>>>> the server
>>>> and get it signed by and external CA?  If this is the case, I guess
>>>> this extra
>>>> expense of individual SSL certificates for the various IPA servers
>>>> could be
>>>> acceptable, although unfortunate as this is what we had hoped to
>>>> avoid with
>>>> the wildcard cert.
>>>>
>>>> Finally, there was mention of the possibility of getting the IPA CA
>>>> signed by
>>>> an external authority.  Just to let everyone know, this is a very
>>>> expensive
>>>> proposition.  I was quoted a $22,500 start fee plus licensing costs.
>>>> This is
>>>> *way* out of our (and I suspect many other small businesses) price
>>>> range.
>>>
>>> Why would you need to get your CA signed by a public authority ?
>>>
>>> When we say external we generally think of another "Internal CA" that
>>> you already use for your own services.
>>>
>>> Simo.
>>>
>>>
>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00216.html
>>
>
> The problems with this are:
>
> - Only a very small handful of people actually use this (or used it).
> - We don't test this (obviously) and there are a lot of bugs and
> corner cases
> - Even if we do fix it, we likely still won't test it very often,
> leading to more woes
> - This will blow up at cert renewal time
> - There is still an underlying CA hidden in there, doing nothing (but
> perhaps cause problems)
> - If you want to support FF < 15 you need an object signing cert too
> to sign the auto-configure jar
>
> A far better solution than replacing the certificates post-install is
> to have an option to have a CA-less IPA installation. I doubt we'd
> actively work on adding such an option. But it would likely be a lot
> more robust than changing things after-the-fact.

IMO this should eventually help
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
Once this is solved the right certs can probably be delivered via
OpenLMI or SSSD so rather than using already distributed certs it would
be possible to easily distribute and apply the ones you need.
Solves the problem but from a different side.
Orion, if implemented would it work for you?

>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list