Hi Fraser, I think I will go with the option a). It appears to be simpler one and I can ditch AD in the future if IPA became good enough to replace it. So they aren’t tied.
Thank you. PS: You’re the same guy of the link. > On 19 Jul 2020, at 23:22, Fraser Tweedale <[email protected]> wrote: > > On Sat, Jul 18, 2020 at 12:45:03AM +0000, Vinícius Ferrão via > FreeIPA-users wrote: >> Hello, >> >> I need to issue some certificates for the AD Environment and I >> don’t have ADCS in place. So my FreeIPA deployment was with a self >> signed CA and the common AD Trust enabled. >> >> Now with this issue I’m looking on the IPA’s documentation and >> there’s some recommendations to deploy IPA as as subCA from ADCS, >> but as as I said, I don’t have it. So I was thinking if it’s >> possible to issue certificates for Windows machines directly form >> FreeIPA, and if this is recommended or not. >> >> If it’s possible but it will be a hassle, there’s a way to make >> FreeIPA talk with ADCS after the deployment? I can setup an ADCS >> instance to keep Windows certificates in a separate location. >> >> I saw this post: >> https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-integration-ipa-certs.html >> but I don’t think it’s the same issue here; the valuable info that >> I found on this site is about trusting the FreeIPA CA certificate >> on Windows environment: "Operationally there is one additional >> step when the IPA CA is not subordinate to the AD CA: the IPA CA >> certificate has to be explicitly trusted.”; but the use case does >> not seems to be on a Windows system. >> >> Thanks for any guidance. >> > Hi Vinícius, > > FreeIPA does not support the enrolment protocols used by Windows > systems. You might ahve an easier time using AD-CS. If you decide > to use AD-CS you have three options on how to relate the PKIs: > > a) Have AD-CS as a separate PKI. You will need to add the AD-CS CA > cert to IPA's trust store and vice-versa. > > b) Re-chain the IPA CA to become a subordinate of the AD-CS CA. > > c) Make AD-CS a subordinate of the IPA CA. See [1] for how to issue > subordinate CA certs from FreeIPA. > > [1] > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html > > If you decide to continue without AD-CS, we can help with issuance > (the profile configuration, CA ACLs, etc) but I have no idea about > the procedure on the Windows side (creating the CSR, installing the > certificate, etc). > > Cheers, > Fraser > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
