[Freeipa-users] Options for existing CA/DNS infrastructure
Rob Foehl
rwf at loonybin.net
Mon Mar 13 02:47:02 UTC 2017
I'm looking at deploying FreeIPA in a few environments with substantial
DNS and/or CA infrastructure, and have some choices to make...
How much trouble will I have if FreeIPA is delegated a zone like
ipa.example.com with all clients in example.com or other children? (No
overlap with AD-managed zones, but in at least one case autodiscovery
won't be possible due to mixed clients in the parent zone.)
What's the best way to play nice with existing PKI -- generate a CA CSR at
installation time and sign that? Is there any provision for automatically
renewing these certs, say if the external CA were to be subsumed by a
dedicated Dogtag instance?
Advice and experience appreciated, before I paint myself into a corner
somewhere... Thanks!
-Rob
More information about the Freeipa-users
mailing list