[Freeipa-users] Options for existing CA/DNS infrastructure
Rob Foehl
rwf at loonybin.net
Mon Mar 20 01:22:15 UTC 2017
On Sun, 12 Mar 2017, Rob Foehl wrote:
> What's the best way to play nice with existing PKI -- generate a CA CSR at
> installation time and sign that? Is there any provision for automatically
> renewing these certs, say if the external CA were to be subsumed by a
> dedicated Dogtag instance?
I'm guessing the complete lack of a response does not bode well for this
idea...
Ideally, I'd rather not manage an external CA at all; existing use cases
are service certificates and a handful of user or device-specific client
certs. I've been digging into the sub-CA support a bit more, and it might
be possible to cover everything within FreeIPA, possibly adding
otherwise-unused principals as needed.
The lingering question, then: what to do with the existing CA?
I've found a few threads suggesting it may be possible to wedge an
existing cert/key into a new IPA instance at install time, but they're all
light on specifics. Any other ideas for a smooth transition from this CA
to one entirely owned by FreeIPA, maybe within 3 years or so? ;)
-Rob
More information about the Freeipa-users
mailing list