[Freeipa-devel] [RFE] CA-less install

Petr Viktorin pviktori at redhat.com
Fri Mar 22 13:04:17 UTC 2013 

On 03/22/2013 01:32 PM, Dmitri Pal wrote:
> On 03/22/2013 08:10 AM, Petr Viktorin wrote:
>> The design page for CA-less installation with user-provided SSL certs
>> is available at http://freeipa.org/page/V3/CA-less_install. I've also
>> copied it to this mail.
>>
>> Does it answer all your questions?
>>
> Petr,
>
> It answers a lot of questions.
> However isn't the whole goal to be able to use external CA we do not
> have control of as a part of the trust chain?
>
> I might very well confuse things so bear with me.
>
> Say I have a public CA X I want to use as the root of my trust chain so
> that I do not need to distribute certificates to all my clients.
> I can't create a sub CA using externa-ca because it will cost me a lot
> of money.
>
> But I can create a PKI pair for just two servers (HTTP and DS) much
> cheaper. Is this the assumption?
> Is this really how this works? Is it really easy to get a CRS signed by
> a public CA X?

IMO one case is that there's a single corporate (not necessarily public) 
CA, with a policy that it will not sign subordinate CA certs, but it can 
sign server certs?

Your case works too. Yes, server CSRs are easier to get signed than CA 
ones. (Do you mean "globally trusted" when you say public? With a 
globally trusted CA you can pretty much impersonate anybody on the 
Internet.)

Someone familiar with certification policies should chime in if you need 
more details. I've learned a lot about the technical details but 
policies are another thing.

> Other comments: what are the implications on the certmonger and cert
> rotation. I assume certmonger will be turn off. It should then be
> documented that we will not track or warn about the cert expiration.

Yes, Certmonger is not installed, cert rotation must be handled 
manually. I've udated the page.

> In future for the KDC pkinit support we will need yet another cert for
> the KDC, you do nto need to implement it now but please consider this in
> the design.

Added to the page.

> Page misses you as an author.

Added. I've also added an author section to [[Feature template]] so I 
remember next time.

-- 
Petr³

More information about the Freeipa-devel mailing list