[Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation
Martin Kosek
mkosek at redhat.com
Mon Jan 18 08:06:04 UTC 2016
On 01/15/2016 05:17 PM, Peter Pakos wrote:
> Hi,
>
> We've been testing FreeIPA system for a while now and we're getting closer to
> moving it into production.
>
> I'm considering both CA-less and CA-ful installation types. I hope you guys can
> help me make my mind and choose the right decision.
>
> What are the pros and cons of each install type?
Hello Peter,
I am hoping that this is well explained here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options
Some useful notes are also Dmitri Pal's blog post:
http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/
> What exactly are we loosing if we choose CA-less install?
You will not be able to issue certificates by FreeIPA CA, easily generate host
certificates by ipa-client-install or renew them by certmonger which supports
FreeIPA CA.
> One of our requirements is to have a 3rd party HTTP and LDAP certificates
> installed - which install path would be more suitable?
I think both should work. Please see my recent mail:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00243.html
The FreeIPA Demo is running as CA-ful and with 3rd party HTTP certificate.
> I'm also thinking ahead, when it comes to renewing certificates when they
> expire in 1 year time, which install type would cause less problems?
In CA-ful installation, client certificates or FreeIPA CA subsystem
certificates should just renew automatically. In CA-less, you need to take care
to renew them manually with your 3rd party certificate provider.
> I've failed to find any useful info covering the above points, so if you know
> anything, please just let me know.
I think the important point is that even if you choose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:
http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
Honza, please let me know if I forget anything.
>
> I would appreciate your input.
>
> Thanks in advance.
>
More information about the Freeipa-users
mailing list