I'm testing foreman for some months now, it runs fine and we achieve to use the FreeIPA PKI to manage puppet certificates that foreman is based on (with foreman_hook to add puppet service in freeipa just after host creation). Now i'm taking a look at Katello, but this time it seems a little bit different. As i understand, katello use more certificates than foreman and don't use puppet certificates and manage it's own PKI. We try to avoid the growth of different PKIs in ours envs and for easy PKI management purposes. FreeIPA have a design proposal to add subCA and some other stuff PKI related that will help us to acheive this (http://www.freeipa.org/page/V4/Sub-CAs).
Is there a way to use FreeIPA for all certificate for katello (maybe just let subscriptions certificates out of this central PKI) ?
Have a nice day.