[Freeipa-users] FreeIPA vs DogTag CA

Tue Aug 16 09:34:08 UTC 2016

On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote:
> Thanks Rob and Fraser, appreciate your time in replying.
> 
> Currently we are not using FreeIPA but dogtag 9 as an standalone system
> with RA and OCSP as well.
> 
> We thought of migrating to the FreeIPA after looking at the the ease of
> management and excellent support community behind.
> 
> We require SSL/TLS server certificates and user certificates as well.
> 
> Currently our major issue is the continuous changes (not stable) in the
> underlying OS which is Fedora. If we proceed with Dogtag over CentOS or
> RedHat, will that suffice the stability requirements while delivering the
> same level of integration with Fedora?
> 
> your opinion is much appreciated.
> 
> Kaamel
> 
FreeIPA and Dogtag are both available in RHEL and CentOS, so you can
have FreeIPA's ease of management on a less rapidly-evolving
platform.

Caveat: the standalone OCSP subsystem is not supported on RHEL, but
the CA subsystem has an inbuilt OCSP responder which may suffice.

Thanks,
Fraser

> On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale <ftweedal at redhat.com>
> wrote:
> 
> > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> > > Kamal Perera wrote:
> > > > Dear all,
> > > >
> > > > Seeking your kind advices.
> > > >
> > > > If the requirement is for having a scalable corporate CA only, is it
> > > > possible to get this requirement fulfilled with DogTag only, or install
> > > > FreeIPA and use the CA functionality only.
> > >
> > > IPA limits dogtag to only those features it is interested in. This has
> > been
> > > expanding recently but you still lose some functionality.
> > >
> > > IMHO if all you want is a CA then managing IPA is overkill.
> > >
> > > > What are the functional differences and support limitations?
> > >
> > > Functionally it depends on what version of IPA you're talking about.
> > Older
> > > versions only exposed server certificates. Newer versions support user
> > > certifications, custom profiles and more. It is still just a subset of
> > what
> > > dogtag supports.
> > >
> > > Support from whom? The dogtag community is happy to help (they've always
> > > helped us).
> > >
> > There are lots of questions that can help you decide which path to
> > take: what kinds of certs do you want to issue; to what entities;
> > who will issue them; are you already using FreeIPA in your
> > organisation?
> >
> > In regards to functional differences, Dogtag CA and KRA are
> > supported with FreeIPA; token processing and standalone OCSP are
> > not.  I disagree somewhat with Rob in that unless you need those
> > other Dogtag subsystems, I see little disadvantage in using FreeIPA.
> > It definitely makes deploying the CA easier and managing renewals
> > easier.
> >
> > The more you tell us of your requirements, the more we can help :)
> >
> > Thanks,
> > Fraser
> >