Hi Fraser, I think I will go with the option a). It appears to be simpler one and I can
ditch AD in the future if IPA became good enough to replace it. So they aren’t tied.
Thank you.
PS: You’re the same guy of the link.
On 19 Jul 2020, at 23:22, Fraser Tweedale <ftweedal(a)redhat.com>
wrote:
On Sat, Jul 18, 2020 at 12:45:03AM +0000, Vinícius Ferrão via
FreeIPA-users wrote:
> Hello,
>
> I need to issue some certificates for the AD Environment and I
> don’t have ADCS in place. So my FreeIPA deployment was with a self
> signed CA and the common AD Trust enabled.
>
> Now with this issue I’m looking on the IPA’s documentation and
> there’s some recommendations to deploy IPA as as subCA from ADCS,
> but as as I said, I don’t have it. So I was thinking if it’s
> possible to issue certificates for Windows machines directly form
> FreeIPA, and if this is recommended or not.
>
> If it’s possible but it will be a hassle, there’s a way to make
> FreeIPA talk with ADCS after the deployment? I can setup an ADCS
> instance to keep Windows certificates in a separate location.
>
> I saw this post:
>
https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-inte...
> but I don’t think it’s the same issue here; the valuable info that
> I found on this site is about trusting the FreeIPA CA certificate
> on Windows environment: "Operationally there is one additional
> step when the IPA CA is not subordinate to the AD CA: the IPA CA
> certificate has to be explicitly trusted.”; but the use case does
> not seems to be on a Windows system.
>
> Thanks for any guidance.
>
Hi Vinícius,
FreeIPA does not support the enrolment protocols used by Windows
systems. You might ahve an easier time using AD-CS. If you decide
to use AD-CS you have three options on how to relate the PKIs:
a) Have AD-CS as a separate PKI. You will need to add the AD-CS CA
cert to IPA's trust store and vice-versa.
b) Re-chain the IPA CA to become a subordinate of the AD-CS CA.
c) Make AD-CS a subordinate of the IPA CA. See [1] for how to issue
subordinate CA certs from FreeIPA.
[1]
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
If you decide to continue without AD-CS, we can help with issuance
(the profile configuration, CA ACLs, etc) but I have no idea about
the procedure on the Windows side (creating the CSR, installing the
certificate, etc).
Cheers,
Fraser