[Freeipa-users] Options for existing CA/DNS infrastructure

David Kupka dkupka at redhat.com
Mon Mar 20 08:29:41 UTC 2017 

On Sun, Mar 12, 2017 at 10:47:02PM -0400, Rob Foehl wrote:
> I'm looking at deploying FreeIPA in a few environments with substantial DNS
> and/or CA infrastructure, and have some choices to make...
> 
> How much trouble will I have if FreeIPA is delegated a zone like
> ipa.example.com with all clients in example.com or other children?  (No
> overlap with AD-managed zones, but in at least one case autodiscovery won't
> be possible due to mixed clients in the parent zone.)
> 
> What's the best way to play nice with existing PKI -- generate a CA CSR at
> installation time and sign that?  Is there any provision for automatically
> renewing these certs, say if the external CA were to be subsumed by a
> dedicated Dogtag instance?
> 
> Advice and experience appreciated, before I paint myself into a corner
> somewhere...  Thanks!
> 
> -Rob
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

Hello Rob,
FreeIPA can be deployed in environment with existing DNS and/or CA server.
IIRC you have following options:
- regarding DNS:
-- Delegate DNS zone for FreeIPA. It will then manage the zone and add records
there. Obviously, it will not add records for clients in other zones.

-- Don't setup DNS in FreeIPA and keep managing all records in your current DNS
server. There's plan to integrate with external DNS servers [1] but nothing was
done yet.

- regarding CA:
-- install CA-less FreeIPA - you need to issue certificates for HTTPD and 389-DS
with your certificate server and provide those when installing FreeIPA server

-- install FreeIPA with CA certificate signed with external CA. Use
--external-ca option. The installation will be interupted to let you sign
generated CSR. FreeIPA will then issue all needed certificates.

-- install FreeIPA with self-signed CA certificate. This is default but then
you need to distribute the certificate to all clients.

Certmonger [2] is configured during ipa-server-install to track and renew
certificates.

[1] https://www.freeipa.org/page/V4/External_DNS_integration_with_installer
[2] https://pagure.io/certmonger

-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170320/43791fcc/attachment.sig>

More information about the Freeipa-users mailing list