Offline rootCA is actually what we'd recommend for large secure deployment sites, where you would setup a Dogtag root CA and issue one or more subordinate CA's. I think you could also set up an OCSP subsystem that's paired up with the root CA to serve revocation information once you bring the root CA offline.We will start setting up IDM/FreeIPA for a specific linux subdomain in our enterprise.
But how can we best integrate Dogtag with the enterprise CA infrastructure (MS Certificate Services)?
Option 1: Dogtag as the rootCA (?)We can use FreeIPA for all certificates where we need to encrypt end-to-end communication between servers (as example)
And websites by external CA's or the the enterprise CA infrastructure for which the issuing subca's are published to all cleints...
What about the principle of an offline rootCA in that case? Is that possible with Dogtag?
Option 2: Dogtag (RH IDM) as a subordinate CA of MS CA.Is there a specific reason that a subordinate CA is a better idea?
Our PKI administrator's do not really like an additional subCA, because it is difficult to limit exposure/risks?We still need to publish the subca to clients?
What's your opinion: rootCA, or subordinate CA signed by the existing MS Certificate Services PKI?
-- Pieter
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users