[Freeipa-users] FreeIPA vs DogTag CA
Fraser Tweedale
ftweedal at redhat.com
Fri Aug 12 00:40:15 UTC 2016
On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> Kamal Perera wrote:
> > Dear all,
> >
> > Seeking your kind advices.
> >
> > If the requirement is for having a scalable corporate CA only, is it
> > possible to get this requirement fulfilled with DogTag only, or install
> > FreeIPA and use the CA functionality only.
>
> IPA limits dogtag to only those features it is interested in. This has been
> expanding recently but you still lose some functionality.
>
> IMHO if all you want is a CA then managing IPA is overkill.
>
> > What are the functional differences and support limitations?
>
> Functionally it depends on what version of IPA you're talking about. Older
> versions only exposed server certificates. Newer versions support user
> certifications, custom profiles and more. It is still just a subset of what
> dogtag supports.
>
> Support from whom? The dogtag community is happy to help (they've always
> helped us).
>
There are lots of questions that can help you decide which path to
take: what kinds of certs do you want to issue; to what entities;
who will issue them; are you already using FreeIPA in your
organisation?
In regards to functional differences, Dogtag CA and KRA are
supported with FreeIPA; token processing and standalone OCSP are
not. I disagree somewhat with Rob in that unless you need those
other Dogtag subsystems, I see little disadvantage in using FreeIPA.
It definitely makes deploying the CA easier and managing renewals
easier.
The more you tell us of your requirements, the more we can help :)
Thanks,
Fraser
More information about the Freeipa-users
mailing list