On 03/13/2015 02:51 PM, Johnny Tan wrote:
On Fri, Mar 13, 2015 at 2:15 PM, Dmitri Pal <[email protected]
<mailto:[email protected]>> wrote:
Rob would definitely know more but IPA mostly provides certs for
the infra it serves and has a limited use of the certs by itself.
So here is where I know it is used:
- You can issue certs for hosts and services and installer used to
create certs for host automatically though these certs are not
used for anything and we decided not to create them automatically
any more.
- You need to trust IPA in browser so that you can do a forms
based authentication if you do not have a kerberos ticket.
- To issue certs we use Dogtag and Dogtag understands only cert
based authentication so internally the communication between the
managment framework and Dogtag uses SSL. This is actually why the
host-del fails. The host had a cert issued by IPA CA so as part of
the del operation it tries to revoke the cert but since you
reconfigured the sustem to use be CA less it can't and fails.
The communication between the LDAP servers is Kerberos authenticated.
I'll wait for Rob to weigh in, but wow, this would actually be huge
for us and probably a lot of other users. Because if the above is true
(and complete, I guess), then we could actually just run a CA-less
FreeIPA setup, and then generate certs specifically and only for the
web (apache) side, which is easy enough and we do it already for all
other internal web services. That limits cert-related stuff to just
one web SSL cert per IPA master.
This is up to you but that means you would not be able to deal with SSL
for some other use cases down the road.
IPA 4.2 has a lot of new functionality to make it easier to issue and
manage certificates for different use cases like: system provisioning,
VPN, devices, wireless, PaaS/IaaS stacks that use certs for SSL
internally etc. Going CA-less will prevent you from leveraging these
capabilities once you realize they are needed down the road.
May be you would not need them but I would encourage you to look at this
in a longer perspective than just immediate needs.
We have a special tool in Freeipa 4.2 to do this. The manual
procedure is cumbersome and leads to issues like this.
And to be correct it is in 4.1 and already released. Sorry for typo.
Yeah, I saw that, but we are still doing 3.0 on CentOS6.6, which is
why we had to go down the manual path.
Thanks,
johnny
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
