You are correct that a CA is included in IdM.  But many organizations design their root CA as an independent device, often kept offline for security.  The IdM CA is then configured as a Sub-CA, responsible for its own security domain.  The benefit here is that the root CA can also provide certificates to other security sub domains, like AD, or a VMware cluster.

Steve

On Tue, Feb 19, 2019, 16:34 William Brown, <wbrown@suse.de> wrote:


> On 20 Feb 2019, at 03:21, Steve Kuervers <kuervers.sj@gmail.com> wrote:
>
> Sandy, I'm a fan of your suggested FreeIPA implementation, but some real planning is required ahead of time.
>
> You need to dig into the documentation and look at what your real requirements are.  I'd suggest you plan yourself with something similar to this:
>
> root CA - CentOS 7.x with 389-directory server and dogtag-pki CA configuration (may not be necessary depending on your requirement)
> - this can be kept offline and secure

I would advise *not* using the CA functionality in IPA, and just bringing in p12 bundles instead. You could automate this with let’s encrypt or other CA that you may use.

>
> two or more identity management servers setup to replicated- Centos 7.x with IdM installed (IdM is part of the baseline install for CentOS
>
> I've successfully used IdM to support an ovirt virtualization cluster, and I'm told that IdM to Windows AD is relatively painless (but have not done it myself).
>
> Clients - IdM will support Fedora, CentOS 6 and CentOS 7 clients, plus all kinds of other capabilities
>
> Built this way, you will look a lot like the Redhat upstream solution, and you can even use the upstream documentation to plan
>
> - Root CA = RHEL 7 Redhat Certificate Server on Redhat Directory Server

The CA is part of IDM, not seperate.

> - IdM servers = RHEL 7 servers with IdM
> - ovirt virt cluster = Redhat Enterprise Virtualization
>
> Your actual Root CA, IdM servers and test clients can even exist within the ovirt cluster as clients.
>
> Steve
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org


Sincerely,

William Brown
Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org