[Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority?
Adam Young
ayoung at redhat.com
Mon Feb 13 16:58:58 UTC 2012
On 02/12/2012 04:00 PM, Marco Pizzoli wrote:
> Hi,
> I see DogTag PKI used as a certificate server for the enrollment of
> hosts and services.
> What about the enrollment of normal X509v3 certificates? I have not
> seen, correct me if I'm wrong, any reference to the possibility to use
> it as a regular CA for user certificates. Not within FreeIPA, of course.
>
> Is there any drawback in using it as the primary CA for the company?
It is a full CA. You can use it as such. Dogtag is a vibrant project
in its own right, and you can find developers on #dogtag-pki in
Freenode. The install is done via pkisilent, and you might want to
make sure that you understand the parameters used to call it.
One major drawback is that IPA has disabled Nonces in the Dogtag
backend. These are there to defend against a CSRF attack. What this
means is that you should not expose the Dogtag WebUI through the IPA
server, either on its Dogtag port or via HTTP proxy. It should be
explicitly stated that IPA implements Nonces for its web UI, and does
not allow session based calls through to the Dogtag back end, so its
configuration is secure. The problem is only exposed if you expose
additional web URLs to the Dogtag backend beyond those specified in the
PKI Proxy.
Enabling nonces will break IPA.
I've installed and used the standard Java tools for Dogtag and used them
to talk to the PKI backend installed by IPA. They work fine.
Currently, IPA acts as a single Agent in Dogtag. This should be
fine. For other certificate usage, you should probably use a
different agent. IPA does not currently support user certificates.
However, there are standard LDAP object classes and attributes that you
could conceivably use to record them if you wanted to keep them in a
single DirSrv. Obviosuly, you do not want to put the private keys on
the IPA server, so plan accordingly.
Red Hat does not support using the Certificate Server (PKI) backend with
its Identity management install for purposes other than support for the
IdM (IPA) front end, so beware that you have no "up sell" if you desire
to get paid support for IPA.
>
> Thanks a lot again!
> Marco
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120213/ff65a593/attachment.htm>
More information about the Freeipa-users
mailing list