[Pki-users] Dogtag rootCA or subCA

[Christina Fu]

It's unclear from what's described to have the whole context to answer 
your specific questions, but I can answer the question regarding Dogtag. 
See below.

On 05/02/2017 02:45 AM, Pieter Baele wrote:
> We will start setting up IDM/FreeIPA  for a specific linux subdomain 
> in our enterprise.
>
> But how can we best integrate Dogtag with the enterprise CA 
> infrastructure (MS Certificate Services)?
>
> Option 1: Dogtag as the rootCA (?)
> We can use FreeIPA for all certificates where we need to encrypt 
> end-to-end communication between servers (as example)
> And websites by external CA's or the the enterprise CA infrastructure 
> for which the issuing subca's are published to all cleints...
>
> What about the principle of an offline rootCA in that case? Is that 
> possible with Dogtag?
Offline rootCA is actually what we'd recommend for large secure 
deployment sites, where you would setup a Dogtag root CA and issue one 
or more subordinate CA's.  I think you could also set up an OCSP 
subsystem that's paired up with the root CA to serve revocation 
information once you bring the root CA offline.
You would only need to bring up the rootCA when you need to install more 
subordinate CA's or revoke one.

>
> Option 2: Dogtag (RH IDM) as a subordinate CA of MS CA.
> Is there a specific reason that a subordinate CA is a better idea?
> Our PKI administrator's do not really like an additional subCA, 
> because it is difficult to limit exposure/risks?
> We still need to publish the subca to clients?
>
> What's your opinion: rootCA, or subordinate CA signed by the existing 
> MS Certificate Services PKI?
>
> -- Pieter
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170502/4cc8784d/attachment.htm>