[Pki-devel] lightweight sub-CAs?
Fraser Tweedale
ftweedal at redhat.com
Tue Jun 3 07:46:24 UTC 2014
Hi all,
In order to support more fine-grained security domains in FreeIPA
(Puppet is one of many use cases; see
http://www.freeipa.org/page/IPA_as_external_Puppet_CA and
http://jcape.name/2012/01/16/using-the-freeipa-pki-with-puppet/), I
am beginning to explore whether there is any current or potential
capability in Dogtag for "lightweight" intermediate CAs.
A Dogtag `ca' subsystem can be set up as an intermediate CA, but
AFAICT, this will run as a separate instance, on its own network
ports, etc. Leveraging this capability from FreeIPA would be
complex, to say the least, as it would involve spawning whole new
Dogtag instances.
So, I am wondering if there is any capability in Dogtag for creating
an intermediate CAs *within* a single instance? And if not, are
there any comments or suggestions about whether there is scope to
add such a feature or how it might be used - particularly in
relation to profiles?
Cheers,
Fraser
More information about the Pki-devel
mailing list