[Freeipa-users] FreeIPA vs DogTag CA

Tue Aug 16 11:55:48 UTC 2016

On Tue, Aug 16, 2016 at 04:29:02PM +0530, Kaamel Periora wrote:
> Thanks Fraser.
> 
> So basically i can rule out FreeIPA and go ahead with DogTag.
> 
> According to our security requirements, it is not wise to let the genral
> public access to the OCSP service running on the CA. I suppose having an
> OCSP over Fedora while the others run on CentOS would do.
> 
Sure, you can deploy it that way.  I do not know of anyone who has
done so but it should work.

> how about RA, can i have it over CentOS?
> 
We no longer have a separate RA subsystem.  RA capabilities are
conceptually part of the CA subsystem now.

> On Tue, Aug 16, 2016 at 3:04 PM, Fraser Tweedale <ftweedal at redhat.com>
> wrote:
> 
> > On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote:
> > > Thanks Rob and Fraser, appreciate your time in replying.
> > >
> > > Currently we are not using FreeIPA but dogtag 9 as an standalone system
> > > with RA and OCSP as well.
> > >
> > > We thought of migrating to the FreeIPA after looking at the the ease of
> > > management and excellent support community behind.
> > >
> > > We require SSL/TLS server certificates and user certificates as well.
> > >
> > > Currently our major issue is the continuous changes (not stable) in the
> > > underlying OS which is Fedora. If we proceed with Dogtag over CentOS or
> > > RedHat, will that suffice the stability requirements while delivering the
> > > same level of integration with Fedora?
> > >
> > > your opinion is much appreciated.
> > >
> > > Kaamel
> > >
> > FreeIPA and Dogtag are both available in RHEL and CentOS, so you can
> > have FreeIPA's ease of management on a less rapidly-evolving
> > platform.
> >
> > Caveat: the standalone OCSP subsystem is not supported on RHEL, but
> > the CA subsystem has an inbuilt OCSP responder which may suffice.
> >
> > Thanks,
> > Fraser
> >
> > > On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale <ftweedal at redhat.com>
> > > wrote:
> > >
> > > > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote:
> > > > > Kamal Perera wrote:
> > > > > > Dear all,
> > > > > >
> > > > > > Seeking your kind advices.
> > > > > >
> > > > > > If the requirement is for having a scalable corporate CA only, is
> > it
> > > > > > possible to get this requirement fulfilled with DogTag only, or
> > install
> > > > > > FreeIPA and use the CA functionality only.
> > > > >
> > > > > IPA limits dogtag to only those features it is interested in. This
> > has
> > > > been
> > > > > expanding recently but you still lose some functionality.
> > > > >
> > > > > IMHO if all you want is a CA then managing IPA is overkill.
> > > > >
> > > > > > What are the functional differences and support limitations?
> > > > >
> > > > > Functionally it depends on what version of IPA you're talking about.
> > > > Older
> > > > > versions only exposed server certificates. Newer versions support
> > user
> > > > > certifications, custom profiles and more. It is still just a subset
> > of
> > > > what
> > > > > dogtag supports.
> > > > >
> > > > > Support from whom? The dogtag community is happy to help (they've
> > always
> > > > > helped us).
> > > > >
> > > > There are lots of questions that can help you decide which path to
> > > > take: what kinds of certs do you want to issue; to what entities;
> > > > who will issue them; are you already using FreeIPA in your
> > > > organisation?
> > > >
> > > > In regards to functional differences, Dogtag CA and KRA are
> > > > supported with FreeIPA; token processing and standalone OCSP are
> > > > not.  I disagree somewhat with Rob in that unless you need those
> > > > other Dogtag subsystems, I see little disadvantage in using FreeIPA.
> > > > It definitely makes deploying the CA easier and managing renewals
> > > > easier.
> > > >
> > > > The more you tell us of your requirements, the more we can help :)
> > > >
> > > > Thanks,
> > > > Fraser
> > > >
> >