[Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority?

Adam Young ayoung at redhat.com
Mon Feb 13 16:58:58 UTC 2012 

On 02/12/2012 04:00 PM, Marco Pizzoli wrote:
> Hi,
> I see DogTag PKI used as a certificate server for the enrollment of 
> hosts and services.
> What about the enrollment of normal X509v3 certificates? I have not 
> seen, correct me if I'm wrong, any reference to the possibility to use 
> it as a regular CA for user certificates. Not within FreeIPA, of course.
>
> Is there any drawback in using it as the primary CA for the company?

It is a full CA.  You can use it as such.  Dogtag is a vibrant project 
in its own right,  and you can find developers on #dogtag-pki in 
Freenode.  The install is done via pkisilent,  and you might want to 
make sure that you understand the parameters used to call it.

One major drawback is that IPA has disabled Nonces in the Dogtag 
backend.  These are there to defend against a CSRF attack.  What this 
means is that you should not expose the Dogtag WebUI through the IPA 
server,  either on its Dogtag port or via HTTP proxy.  It should be 
explicitly stated that IPA implements Nonces for its web UI, and does 
not allow session based calls through to the Dogtag back end,  so its 
configuration is secure.  The problem is only exposed if you expose 
additional web URLs to the Dogtag backend beyond those specified in the 
PKI Proxy.

Enabling nonces will break IPA.

I've installed and used the standard Java tools for Dogtag and used them 
to talk to the PKI backend installed by IPA.  They work fine.

Currently,  IPA acts as a single Agent in Dogtag.   This should be 
fine.  For other certificate usage,   you should probably use a 
different agent.  IPA does not currently support user certificates.  
However,  there are standard LDAP object classes and attributes that you 
could conceivably use to record them if you wanted to keep them in a 
single DirSrv.  Obviosuly,  you do not want to put the private keys on 
the IPA server, so plan accordingly.

Red Hat does not support using the Certificate Server (PKI) backend with 
its Identity management install for purposes other than support for the 
IdM (IPA) front end, so beware that you have no "up sell" if you desire 
to get paid support for IPA.








>
> Thanks a lot again!
> Marco
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120213/ff65a593/attachment.htm>

More information about the Freeipa-users mailing list