On Thu, May 05, 2016 at 12:46:48PM -0700, Ha T. Lam wrote: > Hi Fraser, > > Thank you very much for the immediate response. Our use-case for Dogtag is: > our installation engineers request a signing CA cert through the Dogtag web > interface, and our admin grants the request, anything following is not > managed with Dogtag. So we only use Dogtag for managing the root cert and > the signing CA certs (beside OCSP, audit certs, etc that come with the > system). > > I'm not sure how your solution would work in our case, if we import a > signing cert into Dogtag and sign other certs that we give to our > installation engineers using it, it would change our current cert chain. > > Reading your reply, I realized I probably misunderstood how FreeIPA worked, > I thought I only needed to import Dogtag's Root CA (which is our company > Root CA) into FreeIPA's Dogtag for it to work. Just for checking, this > would not work, would it? > Correct; there isn't right now a way to "adopt" an existing CA into an existing Dogtag instance.
In either case, because you are issuing admin-approved CA certificates, I don't think FreeIPA fits your use case. In the future we will support sub-CA creation (it is what I am working on) so you might want to evaluate FreeIPA once that feature has landed. Cheers, Fraser > Thanks, > Ha > > On Wed, May 4, 2016 at 7:24 PM, Fraser Tweedale <[email protected]> wrote: > > > On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote: > > > Hi, > > > > > > We have an in-house CA system managed by a stand-alone Dogtag system, we > > > would like to integrate it with our FreeIPA system which is already in > > use > > > and is setup with the company LDAP. I'm new to FreeIPA and I have some > > > questions about this process: > > > > > > 1. Is it possible to add our current Dogtag on top of the FreeIPA system > > > directly? If so, how would I achieve that? > > > > > This is not supported, though it's technically feasible (we just > > don't have any code to do it). > > > > > 2. If it's not possible to do the above, what about setting up a clone of > > > the current FreeIPA system and migrate Dogtag during the installation of > > > the replica? Is this a better option? > > > > > Same as above... technically feasible but no way to do it right now. > > > > > 3. Any other alternative? > > > > > One alternative is to export your CA signing cert and key, and > > install a new Dogtag instance in your FreeIPA environment. The IPA > > Dogtag instance would be "detached" from your existing Dogtag > > instance but, cryptographically speaking, it would be the same CA. > > > > You would have to tweak serial number ranges to ensure the new > > instance doesn't reuse serial numbers that were already used (a > > simple procedure). > > > > How well this would work in your organisation would depend on what > > sorts of things you use the exiting Dogtag for, how clients expect > > to renew certificates, etc. I'm happy to answer questions you might > > have in considering this approach. > > > > Cheers, > > Fraser > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
