On Mon, May 09, 2016 at 10:23:07PM +0300, Alexander Bokovoy wrote: > On Mon, 09 May 2016, Andy Thompson wrote: > >Is freeipa in RHEL7.2 able to be used as an organizational CA these > >days? I have a requirement to set one up and like the IPA interface > >and tools, but can't sort out the current state in 4.2 to decipher > >whether this is possible, or even reasonable to try. I need to setup > >an org sub CA with an offline root CA > Sub-CA support is coming in FreeIPA 4.4, hopefully. Current code in RHEL > 7.2 does not support sub-CA functionality. > Andy, you can install FreeIPA as a sub-CA of your offline root. Support for creating sub-CAs *within* FreeIPA, under the "main" FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet available but I am working on that. But if you only need one CA as a sub-CA of an offline root, you can use FreeIPA today.
> >The dogtag pki-ca in 7.2 appears to be missing some pieces, none of the > >management themes seem to be available and the console utilities are > >hit and miss, so I'm looking at this possibility. Seems like overkill > >but thought I'd toss the idea around. > I think RHCS is a separate product with support on top of RHEL 7. Check > with your Red Hat representatives. > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
