[Pki-users] Dogtag rootCA or subCA
Christina Fu
cfu at redhat.com
Tue May 2 21:12:45 UTC 2017
It's unclear from what's described to have the whole context to answer
your specific questions, but I can answer the question regarding Dogtag.
See below.
On 05/02/2017 02:45 AM, Pieter Baele wrote:
> We will start setting up IDM/FreeIPA for a specific linux subdomain
> in our enterprise.
>
> But how can we best integrate Dogtag with the enterprise CA
> infrastructure (MS Certificate Services)?
>
> Option 1: Dogtag as the rootCA (?)
> We can use FreeIPA for all certificates where we need to encrypt
> end-to-end communication between servers (as example)
> And websites by external CA's or the the enterprise CA infrastructure
> for which the issuing subca's are published to all cleints...
>
> What about the principle of an offline rootCA in that case? Is that
> possible with Dogtag?
Offline rootCA is actually what we'd recommend for large secure
deployment sites, where you would setup a Dogtag root CA and issue one
or more subordinate CA's. I think you could also set up an OCSP
subsystem that's paired up with the root CA to serve revocation
information once you bring the root CA offline.
You would only need to bring up the rootCA when you need to install more
subordinate CA's or revoke one.
>
> Option 2: Dogtag (RH IDM) as a subordinate CA of MS CA.
> Is there a specific reason that a subordinate CA is a better idea?
> Our PKI administrator's do not really like an additional subCA,
> because it is difficult to limit exposure/risks?
> We still need to publish the subca to clients?
>
> What's your opinion: rootCA, or subordinate CA signed by the existing
> MS Certificate Services PKI?
>
> -- Pieter
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170502/4cc8784d/attachment.htm>
More information about the Pki-users
mailing list