[Freeipa-users] FreeIPA vs DogTag CA
Kaamel Periora
techpkiuser at gmail.com
Tue Aug 16 09:24:41 UTC 2016
Thanks Rob and Fraser, appreciate your time in replying.
Currently we are not using FreeIPA but dogtag 9 as an standalone system
with RA and OCSP as well.
We thought of migrating to the FreeIPA after looking at the the ease of
management and excellent support community behind.
We require SSL/TLS server certificates and user certificates as well.
Currently our major issue is the continuous changes (not stable) in the
underlying OS which is Fedora. If we proceed with Dogtag over CentOS or
RedHat, will that suffice the stability requirements while delivering the
same level of integration with Fedora?
your opinion is much appreciated.
Kaamel
On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale <ftweedal at redhat.com>
wrote:
> On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> > Kamal Perera wrote:
> > > Dear all,
> > >
> > > Seeking your kind advices.
> > >
> > > If the requirement is for having a scalable corporate CA only, is it
> > > possible to get this requirement fulfilled with DogTag only, or install
> > > FreeIPA and use the CA functionality only.
> >
> > IPA limits dogtag to only those features it is interested in. This has
> been
> > expanding recently but you still lose some functionality.
> >
> > IMHO if all you want is a CA then managing IPA is overkill.
> >
> > > What are the functional differences and support limitations?
> >
> > Functionally it depends on what version of IPA you're talking about.
> Older
> > versions only exposed server certificates. Newer versions support user
> > certifications, custom profiles and more. It is still just a subset of
> what
> > dogtag supports.
> >
> > Support from whom? The dogtag community is happy to help (they've always
> > helped us).
> >
> There are lots of questions that can help you decide which path to
> take: what kinds of certs do you want to issue; to what entities;
> who will issue them; are you already using FreeIPA in your
> organisation?
>
> In regards to functional differences, Dogtag CA and KRA are
> supported with FreeIPA; token processing and standalone OCSP are
> not. I disagree somewhat with Rob in that unless you need those
> other Dogtag subsystems, I see little disadvantage in using FreeIPA.
> It definitely makes deploying the CA easier and managing renewals
> easier.
>
> The more you tell us of your requirements, the more we can help :)
>
> Thanks,
> Fraser
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160816/ef00c956/attachment.htm>
More information about the Freeipa-users
mailing list