Pieter Baele
2017-04-28 14:15:09 UTC
Hi,
We will start setting up IDM/FreeIPA for a specific linux subdomain in our
enterprise.
The part of setting up a trust is clear: we will be using an external trust
- for a selected Active Directory domain
But how can we best integrate with the enterprise CA infrastructure (MS
Certificate Services)?
Is it possible to deploy FreeIPA (dogtag) as rootCA, and to publish
requests for public HTTPS certitificates by GlobalSign, or if internal, the
MS Certificate Services rootCA?
We can still use FreeIPA for all certificates where we need to encrypt
end-to-end communication between servers (as example)
What about the principle of an offline rootCA in that case?
Or is there a specific reason that a subordinate CA is a better idea,
signed by the root CA of the MS PKI infrastructure?
And if we ask a subordinate CA, is it possible to limit exposure/risks? By
setting some extensions?
To conclude: own rootCA, or subordinate CA signed by the existing MS
Certificate Services PKI????
Sincerely, Pieter Baele
We will start setting up IDM/FreeIPA for a specific linux subdomain in our
enterprise.
The part of setting up a trust is clear: we will be using an external trust
- for a selected Active Directory domain
But how can we best integrate with the enterprise CA infrastructure (MS
Certificate Services)?
Is it possible to deploy FreeIPA (dogtag) as rootCA, and to publish
requests for public HTTPS certitificates by GlobalSign, or if internal, the
MS Certificate Services rootCA?
We can still use FreeIPA for all certificates where we need to encrypt
end-to-end communication between servers (as example)
What about the principle of an offline rootCA in that case?
Or is there a specific reason that a subordinate CA is a better idea,
signed by the root CA of the MS PKI infrastructure?
And if we ask a subordinate CA, is it possible to limit exposure/risks? By
setting some extensions?
To conclude: own rootCA, or subordinate CA signed by the existing MS
Certificate Services PKI????
Sincerely, Pieter Baele