[Freeipa-users] Certificate Issues

Rob Crittenden rcritten at redhat.com
Tue Feb 19 22:42:41 UTC 2013 

Orion Poplawski wrote:
> On 02/19/2013 03:10 PM, Simo Sorce wrote:
>> On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:
>>> This is a followup to some previous discussions.  I have been
>>> lobbying to keep
>>> (and fix) the ability to install your own certificates when
>>> configuring IPA in
>>> order to make use of wildcard SSL certificates.  But it seems this
>>> will not be
>>> the case.  My last post on this went unanswered and I see tickets for
>>> the
>>> removal going forward.
>>>
>>> As I understand it though, I'll still be able to generate a CSR for
>>> the server
>>> and get it signed by and external CA?  If this is the case, I guess
>>> this extra
>>> expense of individual SSL certificates for the various IPA servers
>>> could be
>>> acceptable, although unfortunate as this is what we had hoped to
>>> avoid with
>>> the wildcard cert.
>>>
>>> Finally, there was mention of the possibility of getting the IPA CA
>>> signed by
>>> an external authority.  Just to let everyone know, this is a very
>>> expensive
>>> proposition.  I was quoted a $22,500 start fee plus licensing costs.
>>> This is
>>> *way* out of our (and I suspect many other small businesses) price
>>> range.
>>
>> Why would you need to get your CA signed by a public authority ?
>>
>> When we say external we generally think of another "Internal CA" that
>> you already use for your own services.
>>
>> Simo.
>>
>>
> https://www.redhat.com/archives/freeipa-users/2013-January/msg00216.html
>

The problems with this are:

- Only a very small handful of people actually use this (or used it).
- We don't test this (obviously) and there are a lot of bugs and corner 
cases
- Even if we do fix it, we likely still won't test it very often, 
leading to more woes
- This will blow up at cert renewal time
- There is still an underlying CA hidden in there, doing nothing (but 
perhaps cause problems)
- If you want to support FF < 15 you need an object signing cert too to 
sign the auto-configure jar

A far better solution than replacing the certificates post-install is to 
have an option to have a CA-less IPA installation. I doubt we'd actively 
work on adding such an option. But it would likely be a lot more robust 
than changing things after-the-fact.

rob

More information about the Freeipa-users mailing list