<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I hit reply instead of reply all again. Sorry. Adding the list back.<br>
<br>
On 02/14/2012 02:43 PM, Dmitri Pal wrote:
<blockquote cite="mid:4F3AB94C.7060908@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 02/13/2012 12:43 PM, Marco Pizzoli wrote:
<blockquote
cite="mid:CAMrrtwvMQ0RQJXP0Oa=WFuX4dJ7D_hhf__VSCNatfKSbegr_eQ@mail.gmail.com"
type="cite">Hi Adam, <br>
<br>
<div class="gmail_quote">On Mon, Feb 13, 2012 at 5:58 PM, Adam
Young <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im"> On 02/12/2012 04:00 PM, Marco Pizzoli
wrote: </div>
<div>
<div class="h5">
<blockquote type="cite">Hi,<br>
I see DogTag PKI used as a certificate server for
the enrollment of hosts and services.<br>
What about the enrollment of normal X509v3
certificates? I have not seen, correct me if I'm
wrong, any reference to the possibility to use it as
a regular CA for user certificates. Not within
FreeIPA, of course.<br>
<br>
Is there any drawback in using it as the primary CA
for the company?<br>
</blockquote>
<br>
</div>
</div>
It is a full CA. You can use it as such. Dogtag is a
vibrant project in its own right, and you can find
developers on #dogtag-pki in Freenode. The install is
done via pkisilent, and you might want to make sure that
you understand the parameters used to call it.<br>
</div>
</blockquote>
<div><br>
I will. Thanks for the pointer.<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000"> One major drawback is
that IPA has disabled Nonces in the Dogtag backend. These
are there to defend against a CSRF attack. What this
means is that you should not expose the Dogtag WebUI
through the IPA server, either on its Dogtag port or via
HTTP proxy. It should be explicitly stated that IPA
implements Nonces for its web UI, and does not allow
session based calls through to the Dogtag back end, so
its configuration is secure. The problem is only exposed
if you expose additional web URLs to the Dogtag backend
beyond those specified in the PKI Proxy.<br>
<br>
Enabling nonces will break IPA.<br>
</div>
</blockquote>
<div><br>
You told me something I wasn't aware of. I will dig into
this during next weeks.<br>
</div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000"> I've installed and
used the standard Java tools for Dogtag and used them to
talk to the PKI backend installed by IPA. They work fine.<br>
</div>
</blockquote>
<div><br>
Ok, this is what I hoped to read! :-) <br>
<br>
</div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000"> Currently, IPA acts
as a single Agent in Dogtag. This should be fine. For
other certificate usage, you should probably use a
different agent. </div>
</blockquote>
<div><br>
Please be patient with me, I don't understand yet the
concept of "agent". Even a reference to the documentation
would be helpful to me.<br>
</div>
</div>
</blockquote>
<br>
<br>
"Agent" is client side software that can connect to CA,
authenticate and has a role to perform specific operations against
CA. <br>
<br>
<blockquote
cite="mid:CAMrrtwvMQ0RQJXP0Oa=WFuX4dJ7D_hhf__VSCNatfKSbegr_eQ@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000">IPA does not currently
support user certificates. However, there are standard
LDAP object classes and attributes that you could
conceivably use to record them if you wanted to keep them
in a single DirSrv. Obviosuly, you do not want to put
the private keys on the IPA server, so plan accordingly.<br>
</div>
</blockquote>
<div><br>
I will, I promise :-)<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000"> Red Hat does not
support using the Certificate Server (PKI) backend with
its Identity management install for purposes other than
support for the IdM (IPA) front end, so beware that you
have no "up sell" if you desire to get paid support for
IPA.<br>
</div>
</blockquote>
<div><br>
I understand.<br>
I link a question I'm curious of: if I remember correctly,
on the PKI-user mailing list I read a user complaining about
RH not selling RHCS standalone anymore. Is it true?<br>
</div>
</div>
</blockquote>
<br>
It is true to some extent. <br>
It is sold under special conditions. For more info on RHCS sales
conditions you need to go via official RH channels. <br>
<br>
<blockquote
cite="mid:CAMrrtwvMQ0RQJXP0Oa=WFuX4dJ7D_hhf__VSCNatfKSbegr_eQ@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div> <br>
You've been very helpful! Your blog too.. :-)<br>
Thanks a lot!<br>
Marco <br>
<br>
</div>
</div>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>