<div dir="ltr">Thanks Fraser. So basically i can rule out FreeIPA and go ahead with DogTag. According to our security requirements, it is not wise to let the genral public access to the OCSP service running on the CA. I suppose having an OCSP over Fedora while the others run on CentOS would do. how about RA, can i have it over CentOS? <div class="gmail_extra"> <div class="gmail_quote">On Tue, Aug 16, 2016 at 3:04 PM, Fraser Tweedale <<a href="mailto:ftweedal@redhat.com" target="_blank">ftweedal@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, Aug 16, 2016 at 02:54:41PM +0530, Kaamel Periora wrote: > Thanks Rob and Fraser, appreciate your time in replying. > > Currently we are not using FreeIPA but dogtag 9 as an standalone system > with RA and OCSP as well. > > We thought of migrating to the FreeIPA after looking at the the ease of > management and excellent support community behind. > > We require SSL/TLS server certificates and user certificates as well. > > Currently our major issue is the continuous changes (not stable) in the > underlying OS which is Fedora. If we proceed with Dogtag over CentOS or > RedHat, will that suffice the stability requirements while delivering the > same level of integration with Fedora? > > your opinion is much appreciated. > > Kaamel > FreeIPA and Dogtag are both available in RHEL and CentOS, so you can have FreeIPA's ease of management on a less rapidly-evolving platform. Caveat: the standalone OCSP subsystem is not supported on RHEL, but the CA subsystem has an inbuilt OCSP responder which may suffice. Thanks, Fraser <div class=""><div class="h5"> > On Fri, Aug 12, 2016 at 6:10 AM, Fraser Tweedale <<a href="mailto:ftweedal@redhat.com">ftweedal@redhat.com</a>> > wrote: > > > On Thu, Aug 11, 2016 at 11:54:25AM -0400, Rob Crittenden wrote: > > > Kamal Perera wrote: > > > > Dear all, > > > > > > > > Seeking your kind advices. > > > > > > > > If the requirement is for having a scalable corporate CA only, is it > > > > possible to get this requirement fulfilled with DogTag only, or install > > > > FreeIPA and use the CA functionality only. > > > > > > IPA limits dogtag to only those features it is interested in. This has > > been > > > expanding recently but you still lose some functionality. > > > > > > IMHO if all you want is a CA then managing IPA is overkill. > > > > > > > What are the functional differences and support limitations? > > > > > > Functionally it depends on what version of IPA you're talking about. > > Older > > > versions only exposed server certificates. Newer versions support user > > > certifications, custom profiles and more. It is still just a subset of > > what > > > dogtag supports. > > > > > > Support from whom? The dogtag community is happy to help (they've always > > > helped us). > > > > > There are lots of questions that can help you decide which path to > > take: what kinds of certs do you want to issue; to what entities; > > who will issue them; are you already using FreeIPA in your > > organisation? > > > > In regards to functional differences, Dogtag CA and KRA are > > supported with FreeIPA; token processing and standalone OCSP are > > not. I disagree somewhat with Rob in that unless you need those > > other Dogtag subsystems, I see little disadvantage in using FreeIPA. > > It definitely makes deploying the CA easier and managing renewals > > easier. > > > > The more you tell us of your requirements, the more we can help :) > > > > Thanks, > > Fraser > > </div></div></blockquote></div> </div></div>