[Pki-users] Dogtag rootCA or subCA

Fraser Tweedale ftweedal at redhat.com
Tue May 2 13:57:16 UTC 2017 

On Tue, May 02, 2017 at 11:54:06AM +0000, Pieter Baele wrote:
> Hi Fraser,
> 
> Maybe I am not interpreting this 100% correctly....
> Using a subCA: in which cases / direction it is not necessary to deploy the
> IPA intermediate CA cert?
> 
If Windows clients trust the root CA, they do not need to trust or
even know about intermediate CA certs (such as the IPA CA), to trust
service certs issued by the intermediate CA.  As long as the TLS
server is configured to deliver the intermediate cert(s) along with
the end-entity cert, everything will work just fine.

Hope that clarifies things.

> AFAIK, all issuing (sub) CA's certs are deployed to (windows) clients. So
> in fact this is not (always) necessary?
> 
I do not know much about the behaviour of AD / MS CA in this regard,
i.e. whether it delivers sub-CA certificates to clients as trusted
issuing certificates or not.  But see above; it is not necessary as
long as the server is configured properly.

Cheers,
Fraser
>
> 
> 
> On Tue, May 2, 2017 at 12:55 PM Fraser Tweedale <ftweedal at redhat.com> wrote:
> 
> > On Tue, May 02, 2017 at 09:45:49AM +0000, Pieter Baele wrote:
> > > We will start setting up IDM/FreeIPA  for a specific linux subdomain in
> > our
> > > enterprise.
> > >
> > > But how can we best integrate Dogtag with the enterprise CA
> > infrastructure
> > > (MS Certificate Services)?
> > >
> > > Option 1: Dogtag as the rootCA (?)
> > > We can use FreeIPA for all certificates where we need to encrypt
> > end-to-end
> > > communication between servers (as example)
> > > And websites by external CA's or the the enterprise CA infrastructure for
> > > which the issuing subca's are published to all cleints...
> > >
> > > What about the principle of an offline rootCA in that case? Is that
> > > possible with Dogtag?
> > >
> > > Option 2: Dogtag (RH IDM) as a subordinate CA of MS CA.
> > > Is there a specific reason that a subordinate CA is a better idea?
> > > Our PKI administrator's do not really like an additional subCA, because
> > it
> > > is difficult to limit exposure/risks?
> > > We still need to publish the subca to clients?
> > >
> > > What's your opinion: rootCA, or subordinate CA signed by the existing MS
> > > Certificate Services PKI?
> > >
> > If you already have an MS CA securing your infrastructre, with the
> > CA cert distribututed to clients / AD-enrolled machines, then the
> > best approach is making the IPA CA subordinate to your MS CA.  Then
> > you don't need to distribute the IPA CA certificate to Windows
> > clients, because they already trust the root MS CA.
> >
> > TLS servers with certificates signed by the IPA CA will need to
> > include the IPA CA intermediate certificate in their certificate
> > chain.
> >
> > Hope that helps,
> > Fraser
> >

More information about the Pki-users mailing list