[Freeipa-users] Options for existing CA/DNS infrastructure
David Kupka
dkupka at redhat.com
Mon Mar 20 08:29:41 UTC 2017
On Sun, Mar 12, 2017 at 10:47:02PM -0400, Rob Foehl wrote:
> I'm looking at deploying FreeIPA in a few environments with substantial DNS
> and/or CA infrastructure, and have some choices to make...
>
> How much trouble will I have if FreeIPA is delegated a zone like
> ipa.example.com with all clients in example.com or other children? (No
> overlap with AD-managed zones, but in at least one case autodiscovery won't
> be possible due to mixed clients in the parent zone.)
>
> What's the best way to play nice with existing PKI -- generate a CA CSR at
> installation time and sign that? Is there any provision for automatically
> renewing these certs, say if the external CA were to be subsumed by a
> dedicated Dogtag instance?
>
> Advice and experience appreciated, before I paint myself into a corner
> somewhere... Thanks!
>
> -Rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Hello Rob,
FreeIPA can be deployed in environment with existing DNS and/or CA server.
IIRC you have following options:
- regarding DNS:
-- Delegate DNS zone for FreeIPA. It will then manage the zone and add records
there. Obviously, it will not add records for clients in other zones.
-- Don't setup DNS in FreeIPA and keep managing all records in your current DNS
server. There's plan to integrate with external DNS servers [1] but nothing was
done yet.
- regarding CA:
-- install CA-less FreeIPA - you need to issue certificates for HTTPD and 389-DS
with your certificate server and provide those when installing FreeIPA server
-- install FreeIPA with CA certificate signed with external CA. Use
--external-ca option. The installation will be interupted to let you sign
generated CSR. FreeIPA will then issue all needed certificates.
-- install FreeIPA with self-signed CA certificate. This is default but then
you need to distribute the certificate to all clients.
Certmonger [2] is configured during ipa-server-install to track and renew
certificates.
[1] https://www.freeipa.org/page/V4/External_DNS_integration_with_installer
[2] https://pagure.io/certmonger
--
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170320/43791fcc/attachment.sig>
More information about the Freeipa-users
mailing list