[Freeipa-users] [Import existing CA Cert]
Michael Anderson
michael.anderson at elegosoft.com
Wed Sep 23 08:05:58 UTC 2015
Hi Martin,
thanks for your reply.
On 09/23/2015 09:07 AM, Martin Kosek wrote:
> On 09/22/2015 12:41 PM, Michael Anderson wrote:
>> Hi All,
>>
>> we're evaluation freeipa/dogtag as a pki management service and hoping to
>> replace our existing menagerie of bash/openssl scripts. I'm trying to establish
>> a migration path for our existing pki solution and have a few questions:
> Hi Michael,
>
> Before you continue with the project, please keep in mind that FreeIPA PKI
> capabilities are bound to the FreeIPA objects - i.e. users, hosts or services.
> It does not allow you to generate completely random certificates (at the moment).
Does that mean that I can only generate certificates for hosts running
the client software? What I'd really like to be able to do is automate
Apache/Nginx SSL cert generation for our dev/continuous-delivery
infrastructure. So I'd like to have two or three signing CA's for dev,
staging and prod and automate CSR creation, signing and deployment. Is
this feasible with freeipa?
>
>> '* how can I import and use our existing CA signing cert?
>> * can I import existing server certs and keys?
> Could you create FreeIPA server CA as subordinate CA to your current CA? To me,
> it seems the easiest way as I do not think we have some nice CLIs to inject
> existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they
> have an idea.
>
> More here:
> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructurell
With my current project I'll be rebuilding a lot of stuff, so starting
fresh with a new freeipa-generated signing cert won't be such a problem.
That said, it seems to me that the ability to import and use an existing
signing cert would lower the adoption threshold for new users.
>
>> * I'm using Fedora22. When I install dogtag-pki, the user page for submitting
>> csr's is available. But when I install the freeipa package, I get a 404 when
>> attempting to access the page. Is this functionality available in freeipa?
> When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting
> and passing the certificates from/to user. I think the Dogtag UI should be
> still somehow accessible, but is not the supported way.
>
> FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or
> via certmonger (man ipa-getcert) component that even renews the certificate.
>
> BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI
> related capabilities than older versions, for beginning Certificate Profiles,
> which are a must if you do not want to use just single fixed cert profile.
I'm using the version packaged with Fedora 22, 4.1.4
>
> More here:
> http://www.freeipa.org/page/Releases/4.2.0
>
> Martin
--
--
Michael Anderson
IT Services & Support
elego Software Solutions GmbH
Gustav-Meyer-Allee 25
Building 12.3 (BIG) room 227
13355 Berlin, Germany
phone +49 30 23 45 86 96 michael.anderson at elegosoft.com
fax +49 30 23 45 86 95 http://www.elegosoft.com
Geschaeftsfuehrer: Olaf Wagner, Sitz Berlin Amtsgericht
Berlin-Charlottenburg, HRB 77719, USt-IdNr: DE163214194
More information about the Freeipa-users
mailing list