[Freeipa-users] using dogtag outside of freeIPA?

[Fraser Tweedale]

On Fri, Mar 27, 2015 at 03:52:12PM -0500, Steve Neuharth wrote:
> Hello,
> 
> Is it possible or perhaps not recommended to use the dogtag API and/or UI
> on a FreeIPA system without using the freeIPA CLI or UI? I have a
> requirement to submit a certificate to a service without kerberos and
> without client software installed using a RESTful API. Dogtag API is very
> well documented and I do not want to associate all my certificates with a
> Kerberos principal because it adds complexity to the cert signing process.
> I just need to sign a cert without the FreeIPA overhead.
> 
> I tried to get to the Dogtag web UI through the url
> http://ipa.example.com/ca/ee/ca but I get an unauthenticated web page (no
> password prompt) and broken image links. This tells me that perhaps the
> Dogtag UI in a FreeIPA installation is not meant to be used without
> FreeIPA. Is that correct?
> 
The page being unauthenticated is normal - anyone can submit a
certificate request; it is then enqueued for a CA admin or agent to
review and approve/reject.  Alternatively, you can configure a
certificate profile to authenticate against the IPA directory for
automatic approval (but the overall interface will still be
unauthenticated).

The certificate and key for admin access to Dogtag (so you can
approve certificate requests) are found in /root/ca-agent.p12 on the
FreeIPA server.

> I know this is a weird use case and not necessarily a FreeIPA problem but
> if someone could advise, I'd greatly appreciate it.
> --steve

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project