Re: [Pki-users] Dogtag rootCA or subCA
It's unclear from what's described to have the whole context to answer
your specific questions, but I can answer the question regarding Dogtag.
See below.
On 05/02/2017 02:45 AM, Pieter Baele wrote:
We will start setting up IDM/FreeIPA for a specific linux subdomain
in our enterprise.
But how can we best integrate Dogtag with the enterprise CA
infrastructure (MS Certificate Services)?
Option 1: Dogtag as the rootCA (?)
We can use FreeIPA for all certificates where we need to encrypt
end-to-end communication between servers (as example)
And websites by external CA's or the the enterprise CA infrastructure
for which the issuing subca's are published to all cleints...
What about the principle of an offline rootCA in that case? Is that
possible with Dogtag?
Offline rootCA is actually what we'd recommend for large
secure
deployment sites, where you would setup a Dogtag root CA and issue one
or more subordinate CA's. I think you could also set up an OCSP
subsystem that's paired up with the root CA to serve revocation
information once you bring the root CA offline.
You would only need to bring up the rootCA when you need to install more
subordinate CA's or revoke one.
Option 2: Dogtag (RH IDM) as a subordinate CA of MS CA.
Is there a specific reason that a subordinate CA is a better idea?
Our PKI administrator's do not really like an additional subCA,
because it is difficult to limit exposure/risks?
We still need to publish the subca to clients?
What's your opinion: rootCA, or subordinate CA signed by the existing
MS Certificate Services PKI?
-- Pieter
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
Attachments:
- attachment.html (text/html — 4.0 KB)