12:44 p.m.
On 10/04/2013 12:12 PM, Oleg Antonenko wrote:
That’s all clear now, thank you Dmitri!
Regarding our wish list J
Basically we just have evaluated ejbCA, so we want something similar
but without EJB and heavy weight app server… i.e. -
?UI for managing certs
Can you define workflows and actors?
Who does what when to the certs?
Are certs associated to users or to devices?
Do you track devices in the CA or somewhere else?
Are users enterprise users (belong to one company) or internet users
(any user from the street)?
?Support SCEP & OCSP
Dogtag supports both. First as a protocol the second one is the
component that can be installed and turned on.
For SCEP do you actually need a SCEP client ? What do you use a SEP client?
Are there any specific features of the SCEP protocol that are required
that are currently natively not supported by the Dogtag CA?
?API for issuing and revoking certs (cert-based request auth is
preferrable) -- as we want to integrate out product for revoking certs
The product can be given a keytab and authenticate kerberos to the IPA.
It is very simple and would be easier to accomplish.
API for managing serts for hosts and services already available in IPA
so the question is what the certs are associated with is very important.
Also certmonger can be used for fetching certs and storing them in the
files or DBs you need.
Are you aware of certmonger?
It can be effectively a whole alternative solution. From your portal you
call Certmonger on the local system via CLI or D-BUS interface and it
gets a cert for you.
But I need to understand the workflow better. If you generate he PKI
pair on you portal and deliver them to a device it is a perfect
solution. If you use client side software on the mobile platform to send
the signing request then it is a different workflow and you need to send
such request to CA.
?Desirable - Export a key store (including cert) as PKCS#12, PEM
(for
manual deployment of certs on e.g. SSL servers).
When and where? During issuance or ability to later export it from the
back end store?
As mentioned earlier we are planning to use a CA for issuing and
delivering certs to mobile devices via SCEP.
I am sorry I am not familiar with the details of the workflow in this case.
Can you describe the chain of communication between mobile device, your
portal and CA and what protocols used where?
So far we managed to issue certs for iphones via SCEP in ejbCA and
Dogtag (pki-ca 9.0.3-30 package).
Dogtag wins provided we can carry on using standalone CA services in
the future for free as a part of RHEL IPA…
Yes this is a clear winner keeping in mind that we had some distant
plans about the use case you are describing. Unfortunately we were not
able to get a good understanding of the details of the use case in the
past thus so many questions. Sorry.
Thanks
Dmitri
Thanks,
Oleg
*From:*Dmitri Pal [mailto:dpal@redhat.com]
*Sent:* 04 October 2013 16:54
*To:* Oleg Antonenko
*Cc:* Nathan Kinder (nkinder(a)redhat.com); Ciaran Bradley;
pki-users(a)redhat.com
*Subject:* Re: [Pki-users] will the new version of RHCS support RHEL6?
On 10/04/2013 11:48 AM, Oleg Antonenko wrote:
Hi Dmitri, Nathan,
Thank you for speedy responses.
Could you please confirm my understanding?
RHCS is going to be shipped as a part of RHEL7.x in the foreseeable
future;
It is not "a part" it is a stand alone product and not free.
IPA is a free part of RHEL 6.x and will remain as such in the
foreseeable future;
Correct and same is true for RHEL7.x
RHEL 6.x does not ship RHCS, but includes only pki-ca packages in
order to support IPA.
Correct
Could you also clarify your point here ?
/The CA portion in RHEL is not supported by Red Hat for standalone use
/*/without an entitlement for the rest of RHCS/*/, which isn't
available on RHEL 6/
RHCS is a layered product and can be acquired separately.
We do not ship a version of RHCS on top of RHEL6. It is a big product
and takes a lot of time to deliver.
We decided to skip a major RHEL version.
Does it mean RHCS is not free?
Correct.
Regarding this -
/We would be actually very interested if we can support this use case
with core IPA.
Would you be interested in a conversation about this?
/
Yes, we’d love to.
Ok let us have one.
I am sorry, I have not been following the whole thread, just this mail
caught my eye so what kind of functionality we are looking for?
Can you formulate a "wish list" for your use case assuming the CA is a
part of IPA?
Many thanks,
Oleg
*From:*pki-users-bounces@redhat.com
<mailto:pki-users-bounces@redhat.com>
[mailto:pki-users-bounces@redhat.com] *On Behalf Of *Dmitri Pal
*Sent:* 04 October 2013 16:21
*To:* pki-users(a)redhat.com <mailto:pki-users@redhat.com>
*Subject:* Re: [Pki-users] will the new version of RHCS support RHEL6?
On 10/04/2013 11:08 AM, Oleg Antonenko wrote:
Hi Nathan,
Could you please shed some light on the future plans for the pki-ca
portion of RHEL?
Will it be included in the standard RHEL distribution in the future?
Dogtag 10+ will become a RHSC product on top of RHEL7.x
Some of its portions will be gradually included into IPA that comes
for free with RHEL.
IMO full blown IPA is not that "full blown" in this case.
We would be actually very interested if we can support this use case
with core IPA.
Would you be interested in a conversation about this?
Thanks
Dmitri
I’m asking because we’re planning to use the CA bit only for issuing
certificates to mobile devices via SCEP. We do not require any other
services or the full blown IPA…
With thanks,
Oleg
*From:*pki-users-bounces@redhat.com
<mailto:pki-users-bounces@redhat.com>
[mailto:pki-users-bounces@redhat.com] *On Behalf Of *Nathan Kinder
*Sent:* 27 September 2013 20:03
*To:* pki-users(a)redhat.com <mailto:pki-users@redhat.com>
*Subject:* Re: [Pki-users] will the new version of RHCS support RHEL6?
On 09/26/2013 10:25 PM, 安 泱 wrote:
Hi all,
I'm a beginner of the dogtag certificate system, dogtag(RHCS)is
a wonderful project, but I'm confused about RHCS, could you give
any help?
The latest version of RHCS is 8.1, which is based on dogtag 8.1,
it supports RHEL5.8, and in RHEL6, pki-ca 9.0.3 was included
without the other 5 subsystems, could you show me the
consideration why RHCS do not support RHEL6?
Is RHEL6 not secure enough or some other reasons?
It was simply not a targeted platform (nor are there plans to release
it there). The pki-ca portion is included for use by IdM (based on the
FreeIPA project).
Thanks,
-NGK
Regards.
An Yang
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/