Hi FreeIPA users,
As briefly mentioned in "[Freeipa-users] FreeIPA PKI with OpenVPN",
I'm looking into using FreeIPA and Dogtag to provide network certs for Chromebooks (from reading so far it looks like I'll need to use SCEP or CMC - the latter being preferred). Has anyone achieved this, or can anyone offer any pointers to either the server or client/extension side hurdles?
Kind regards,
David
David Harvey via FreeIPA-users wrote:
Hi FreeIPA users,
As briefly mentioned in "[Freeipa-users] FreeIPA PKI with OpenVPN",
I'm looking into using FreeIPA and Dogtag to provide network certs for Chromebooks (from reading so far it looks like I'll need to use SCEP or CMC - the latter being preferred). Has anyone achieved this, or can anyone offer any pointers to either the server or client/extension side hurdles?
IPA doesn't provide direct support itself but its CA is dogtag. You probably will need to check with the dogtag folks for more details (they soemtimes lurk on the list so maybe one will chime in).
dogtag supports SCEP for sure, http://www.dogtagpki.org/wiki/SCEP
You just won't get IPA integration this way: issued certs won't be automatically added to services/hosts/users, won't be revoked on removal, etc.
The way I've done SCEP with dogtag is create a username/pin on the dogtag side and do SCEP enrollment using that.
rob
Awesome, thanks for the info Rob. I will check out your method. It looks like it (Dogtag) has some improvimg CMC support too, so will have a dig.
On Tue, 3 Apr 2018, 18:19 Rob Crittenden, rcritten@redhat.com wrote:
David Harvey via FreeIPA-users wrote:
Hi FreeIPA users,
As briefly mentioned in "[Freeipa-users] FreeIPA PKI with OpenVPN",
I'm looking into using FreeIPA and Dogtag to provide network certs for Chromebooks (from reading so far it looks like I'll need to use SCEP or CMC - the latter being preferred). Has anyone achieved this, or can anyone offer any pointers to either the server or client/extension side hurdles?
IPA doesn't provide direct support itself but its CA is dogtag. You probably will need to check with the dogtag folks for more details (they soemtimes lurk on the list so maybe one will chime in).
dogtag supports SCEP for sure, http://www.dogtagpki.org/wiki/SCEP
You just won't get IPA integration this way: issued certs won't be automatically added to services/hosts/users, won't be revoked on removal, etc.
The way I've done SCEP with dogtag is create a username/pin on the dogtag side and do SCEP enrollment using that.
rob
freeipa-users@lists.fedorahosted.org