Hi Fraser,
Maybe I am not interpreting this 100% correctly....
Using a subCA: in which cases / direction it is not necessary to deploy the
IPA intermediate CA cert?
AFAIK, all issuing (sub) CA's certs are deployed to (windows) clients. So
in fact this is not (always) necessary?
On Tue, May 2, 2017 at 12:55 PM Fraser Tweedale <ftweedal(a)redhat.com> wrote:
On Tue, May 02, 2017 at 09:45:49AM +0000, Pieter Baele wrote:
> We will start setting up IDM/FreeIPA for a specific linux subdomain in
our
> enterprise.
>
> But how can we best integrate Dogtag with the enterprise CA
infrastructure
> (MS Certificate Services)?
>
> Option 1: Dogtag as the rootCA (?)
> We can use FreeIPA for all certificates where we need to encrypt
end-to-end
> communication between servers (as example)
> And websites by external CA's or the the enterprise CA infrastructure for
> which the issuing subca's are published to all cleints...
>
> What about the principle of an offline rootCA in that case? Is that
> possible with Dogtag?
>
> Option 2: Dogtag (RH IDM) as a subordinate CA of MS CA.
> Is there a specific reason that a subordinate CA is a better idea?
> Our PKI administrator's do not really like an additional subCA, because
it
> is difficult to limit exposure/risks?
> We still need to publish the subca to clients?
>
> What's your opinion: rootCA, or subordinate CA signed by the existing MS
> Certificate Services PKI?
>
If you already have an MS CA securing your infrastructre, with the
CA cert distribututed to clients / AD-enrolled machines, then the
best approach is making the IPA CA subordinate to your MS CA. Then
you don't need to distribute the IPA CA certificate to Windows
clients, because they already trust the root MS CA.
TLS servers with certificates signed by the IPA CA will need to
include the IPA CA intermediate certificate in their certificate
chain.
Hope that helps,
Fraser