[Freeipa-users] Options for existing CA/DNS infrastructure
Rob Foehl
rwf at loonybin.net
Mon Mar 27 00:18:27 UTC 2017
On Mon, 20 Mar 2017, David Kupka wrote:
> FreeIPA can be deployed in environment with existing DNS and/or CA server.
> IIRC you have following options:
None of the documentation I've managed to find thus far addresses the
general question of which option(s) to choose, and why; in particular, the
"Deployment Recommendations" page just presents the options without
actually recommending one over another. What's missing is how they behave
in the real world, and which tradeoffs cause the least trouble.
Maybe that question is too general... Here's a few specifics that fell
out of a bunch of experimentation:
Is there any utility in installing DNS and delegating a zone to FreeIPA if
none of the clients will live in that zone?
Is there any current or planned method for absorbing an existing CA cert
into a (newly) FreeIPA-installed Dogtag instance that'd allow for
continued issuance of a variety of client and service certs from FreeIPA,
without having to manage an external CA?
-Rob
More information about the Freeipa-users
mailing list