[Freeipa-users] freeipa as organizational CA
Alexander Bokovoy
abokovoy at redhat.com
Mon May 9 20:43:37 UTC 2016
On Mon, 09 May 2016, Andy Thompson wrote:
>> -----Original Message-----
>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>> Sent: Monday, May 9, 2016 3:23 PM
>> To: Andy Thompson <Andy.Thompson at e-tcc.com>
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] freeipa as organizational CA
>>
>> On Mon, 09 May 2016, Andy Thompson wrote:
>> >Is freeipa in RHEL7.2 able to be used as an organizational CA these
>> >days? I have a requirement to set one up and like the IPA interface
>> >and tools, but can't sort out the current state in 4.2 to decipher
>> >whether this is possible, or even reasonable to try. I need to setup
>> >an org sub CA with an offline root CA
>> Sub-CA support is coming in FreeIPA 4.4, hopefully. Current code in RHEL
>> 7.2 does not support sub-CA functionality.
>>
>
>If I can get an exclusion for the sub-CA bits, can that be added at a
>later time and just run with a root CA for now? Can it perform all of
>the needs of an org CA outside of an IPA environment?
Not through the IPA interfaces but standard Dogtag is there, with its
(albeit a bit cumbersome) web UI. So I guess you could do what IPA
doesn't allow via that one, though there will be no support for these
functions.
When FreeIPA will get sub-CA support added, an upgrade path should be
there to allow creating sub-CAs.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list