[Freeipa-users] Dogtag migration to FreeIPA

Ha T. Lam hatlam at gmail.com
Thu May 5 19:46:48 UTC 2016 

Hi Fraser,

Thank you very much for the immediate response. Our use-case for Dogtag is:
our installation engineers request a signing CA cert through the Dogtag web
interface, and our admin grants the request, anything following is not
managed with Dogtag. So we only use Dogtag for managing the root cert and
the signing CA certs (beside OCSP, audit certs, etc that come with the
system).

I'm not sure how your solution would work in our case, if we import a
signing cert into Dogtag and sign other certs that we give to our
installation engineers using it, it would change our current cert chain.

Reading your reply, I realized I probably misunderstood how FreeIPA worked,
I thought I only needed to import Dogtag's Root CA (which is our company
Root CA) into FreeIPA's Dogtag for it to work. Just for checking, this
would not work, would it?

Thanks,
Ha

On Wed, May 4, 2016 at 7:24 PM, Fraser Tweedale <ftweedal at redhat.com> wrote:

> On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote:
> > Hi,
> >
> > We have an in-house CA system managed by a stand-alone Dogtag system, we
> > would like to integrate it with our FreeIPA system which is already in
> use
> > and is setup with the company LDAP. I'm new to FreeIPA and I have some
> > questions about this process:
> >
> > 1. Is it possible to add our current Dogtag on top of the FreeIPA system
> > directly? If so, how would I achieve that?
> >
> This is not supported, though it's technically feasible (we just
> don't have any code to do it).
>
> > 2. If it's not possible to do the above, what about setting up a clone of
> > the current FreeIPA system and migrate Dogtag during the installation of
> > the replica? Is this a better option?
> >
> Same as above... technically feasible but no way to do it right now.
>
> > 3. Any other alternative?
> >
> One alternative is to export your CA signing cert and key, and
> install a new Dogtag instance in your FreeIPA environment.  The IPA
> Dogtag instance would be "detached" from your existing Dogtag
> instance but, cryptographically speaking, it would be the same CA.
>
> You would have to tweak serial number ranges to ensure the new
> instance doesn't reuse serial numbers that were already used (a
> simple procedure).
>
> How well this would work in your organisation would depend on what
> sorts of things you use the exiting Dogtag for, how clients expect
> to renew certificates, etc.  I'm happy to answer questions you might
> have in considering this approach.
>
> Cheers,
> Fraser
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160505/af29fac8/attachment.htm>

More information about the Freeipa-users mailing list