[Freeipa-users] Dogtag migration to FreeIPA

Fraser Tweedale ftweedal at redhat.com
Thu May 5 20:37:04 UTC 2016 

On Thu, May 05, 2016 at 12:46:48PM -0700, Ha T. Lam wrote:
> Hi Fraser,
> 
> Thank you very much for the immediate response. Our use-case for Dogtag is:
> our installation engineers request a signing CA cert through the Dogtag web
> interface, and our admin grants the request, anything following is not
> managed with Dogtag. So we only use Dogtag for managing the root cert and
> the signing CA certs (beside OCSP, audit certs, etc that come with the
> system).
> 
> I'm not sure how your solution would work in our case, if we import a
> signing cert into Dogtag and sign other certs that we give to our
> installation engineers using it, it would change our current cert chain.
> 
> Reading your reply, I realized I probably misunderstood how FreeIPA worked,
> I thought I only needed to import Dogtag's Root CA (which is our company
> Root CA) into FreeIPA's Dogtag for it to work. Just for checking, this
> would not work, would it?
> 
Correct; there isn't right now a way to "adopt" an existing CA into
an existing Dogtag instance.

In either case, because you are issuing admin-approved CA
certificates, I don't think FreeIPA fits your use case.  In the
future we will support sub-CA creation (it is what I am working on)
so you might want to evaluate FreeIPA once that feature has landed.

Cheers,
Fraser

> Thanks,
> Ha
> 
> On Wed, May 4, 2016 at 7:24 PM, Fraser Tweedale <ftweedal at redhat.com> wrote:
> 
> > On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote:
> > > Hi,
> > >
> > > We have an in-house CA system managed by a stand-alone Dogtag system, we
> > > would like to integrate it with our FreeIPA system which is already in
> > use
> > > and is setup with the company LDAP. I'm new to FreeIPA and I have some
> > > questions about this process:
> > >
> > > 1. Is it possible to add our current Dogtag on top of the FreeIPA system
> > > directly? If so, how would I achieve that?
> > >
> > This is not supported, though it's technically feasible (we just
> > don't have any code to do it).
> >
> > > 2. If it's not possible to do the above, what about setting up a clone of
> > > the current FreeIPA system and migrate Dogtag during the installation of
> > > the replica? Is this a better option?
> > >
> > Same as above... technically feasible but no way to do it right now.
> >
> > > 3. Any other alternative?
> > >
> > One alternative is to export your CA signing cert and key, and
> > install a new Dogtag instance in your FreeIPA environment.  The IPA
> > Dogtag instance would be "detached" from your existing Dogtag
> > instance but, cryptographically speaking, it would be the same CA.
> >
> > You would have to tweak serial number ranges to ensure the new
> > instance doesn't reuse serial numbers that were already used (a
> > simple procedure).
> >
> > How well this would work in your organisation would depend on what
> > sorts of things you use the exiting Dogtag for, how clients expect
> > to renew certificates, etc.  I'm happy to answer questions you might
> > have in considering this approach.
> >
> > Cheers,
> > Fraser
> >

More information about the Freeipa-users mailing list