[Pki-users] Dogtag rootCA or subCA
Fraser Tweedale
ftweedal at redhat.com
Wed May 3 13:50:48 UTC 2017
On Wed, May 03, 2017 at 10:36:38AM +0000, Pieter Baele wrote:
> On Tue, May 2, 2017 at 11:13 PM Christina Fu <cfu at redhat.com> wrote:
>
> > It's unclear from what's described to have the whole context to answer
> > your specific questions, but I can answer the question regarding Dogtag.
> > See below.
> >
>
> I got perfect answers from both Fraser and you. Thanks a lot.
>
> As I initially thought, a FreeIPA ( or Dogtag with less features....(?)) is
> still the best idea.
>
> But our (MS) AD/PKI admins had some doubts, and were convinced you have to
> deploy subCA CA certificates to clients.
>
> To conclude:
> - it is much simpler for our team to setup FreeIPA CA services as a subCA
> also because we don't need to create and secure and offline CA in that case.
>
Yes, creating a sub-CA of the organisation's existing CA avoid this
duplicate effort. There may be some good reasons to want a separate
root for IDM, but where there is an existing PKI, most organisations
choose to chain IDM into it.
> - we don't need to distribute certs to windows clients
>
That's right.
> - the rootCA (AD PKI) can always revoke our subCA when there is a
> problem/breach. Correct?
>
Yes. The usual caveats around CRLs, OCSP etc apply.
Cheers,
Fraser
More information about the Pki-users
mailing list