N. V. via FreeIPA-users wrote: > I’m working on integrating the Enrolment over Secure Transport (EST) > protocol with FreeIPA (4.12.2) to manage certificates in our setup. I’ve > gone through the docs but couldn’t find information on a few specific > areas. I’d love to get some advice or pointers from anyone who’s tackled > something similar: > > 1. > > Storing Generated Certificates in LDAP: > > * How can we set up the EST server to save the certificates it > generates directly into the LDAP database that FreeIPA uses? > * Are there particular schemas or attributes we need to add or > tweak in LDAP for this? > 2. > > Selecting Sub-CAs (FreeIPA Lightweight CAs): > > * What’s the best way to configure EST to choose Sub-CAs, > especially FreeIPA’s Lightweight CAs? > * Any best practices or example setups that make this selection > smooth within the EST framework? > 3. > > Choosing Specific Certificate Profiles: > > * How can we set up EST to support selecting different certificate > profiles based on various use cases or security needs? > * Is there a method to define and manage these profiles within > FreeIPA to ensure they work seamlessly with EST requests? > > I didn’t find clear answers in the existing FreeIPA and DogTag's EST > documentation, so any examples, config snippets, or resource links would > be awesome.
IPA doesn't support the EST protocol in dogtag yet (and no current plans to do so). So unfortunately we have no answers because we haven't looked it it at all. But off the top of my head, the current IPA integration is fairly tight because IPA is the initiator of certificate requests. If it is done over EST then it sounds like you'd need some pre-issuance policy/profile enforcement and a post-issuance trigger to update LDAP with the certificate and do any other things needed. I do not know if either is available. You'd need to check with the dogtag PKI team. > Also, if there are any known issues or things to watch out for when > integrating EST with FreeIPA for these features, I’d appreciate the > heads-up. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
