[Pki-users] Dogtag rootCA or subCA
Pieter Baele
pieter.baele at gmail.com
Wed May 3 10:36:38 UTC 2017
On Tue, May 2, 2017 at 11:13 PM Christina Fu <cfu at redhat.com> wrote:
> It's unclear from what's described to have the whole context to answer
> your specific questions, but I can answer the question regarding Dogtag.
> See below.
>
I got perfect answers from both Fraser and you. Thanks a lot.
As I initially thought, a FreeIPA ( or Dogtag with less features....(?)) is
still the best idea.
But our (MS) AD/PKI admins had some doubts, and were convinced you have to
deploy subCA CA certificates to clients.
To conclude:
- it is much simpler for our team to setup FreeIPA CA services as a subCA
also because we don't need to create and secure and offline CA in that case.
- we don't need to distribute certs to windows clients
- the rootCA (AD PKI) can always revoke our subCA when there is a
problem/breach. Correct?
-- Pieter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170503/e102b7b3/attachment.htm>
More information about the Pki-users
mailing list