> On 2 Dec 2020, at 19:04, Angel Bosch Mora <[email protected]> wrote: > >> depending on your version of 389, look at "dsctl <instance name> tls >> import-ca" >> >> {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca >> --help >> usage: dsctl [instance] tls import-ca [-h] cert_path nickname >> >> positional arguments: >> cert_path The path to the x509 cert to import as a server CA >> nickname The name of the certificate once imported >> >> optional arguments: >> -h, --help show this help message and exit >> >> This allows you to import a PEM CA file. There are a number of other >> helpers under the tls subcommand to make cert management easier. >> > > > all this is pretty new, right? > > I can't recall reading this last time I checked docs.
I don't remember what version it was landed in, but certainly one 1.4.x somewhere. > > anyway, my main problem is that to deploy a node in a truly unattended mode > It shouldn't pause at CSR request and continue when CA sign certificates, so > I'm trying to have some preconfigured cert databases and signed certs. > > If there's no way to do that, I can't dynamically create and destroy nodes. > > the other option is letting the loadbalancer handle encryption, but official > docs are very aggressive against that option, but I wonder if I should ignore > that recommendation and encrypt at LB level. > any hints? You can setup an instance with *no* TLS setup with self_signed = false in the setup.inf, then you can later add the nssdb + enable encryption. That's probably what you want here. > > abosch > -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol > fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i > pot contenir informacio confidencial. En cap cas no heu de copiar aquest > missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si > no sou la persona destinataria que s'hi indica (o la responsable de > lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca > electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau > si es realment necessari. > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
