[Freeipa-users] freeipa as organizational CA
Fraser Tweedale
ftweedal at redhat.com
Mon May 9 22:50:33 UTC 2016
On Mon, May 09, 2016 at 10:23:07PM +0300, Alexander Bokovoy wrote:
> On Mon, 09 May 2016, Andy Thompson wrote:
> >Is freeipa in RHEL7.2 able to be used as an organizational CA these
> >days? I have a requirement to set one up and like the IPA interface
> >and tools, but can't sort out the current state in 4.2 to decipher
> >whether this is possible, or even reasonable to try. I need to setup
> >an org sub CA with an offline root CA
> Sub-CA support is coming in FreeIPA 4.4, hopefully. Current code in RHEL
> 7.2 does not support sub-CA functionality.
>
Andy, you can install FreeIPA as a sub-CA of your offline root.
Support for creating sub-CAs *within* FreeIPA, under the "main"
FreeIPA CA (which in your case is a sub-CA of your offline root), is
not yet available but I am working on that. But if you only need
one CA as a sub-CA of an offline root, you can use FreeIPA today.
> >The dogtag pki-ca in 7.2 appears to be missing some pieces, none of the
> >management themes seem to be available and the console utilities are
> >hit and miss, so I'm looking at this possibility. Seems like overkill
> >but thought I'd toss the idea around.
> I think RHCS is a separate product with support on top of RHEL 7. Check
> with your Red Hat representatives.
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list