On 03/22/2013 01:10 PM, Petr Viktorin wrote:
The design page for CA-less installation with user-provided SSL certs is
available at http://freeipa.org/page/V3/CA-less_install. I've also
copied it to this mail.

Does it answer all your questions?

I have added "Affected commands" and "Clients" sections to the RFE.

Since I mentioned host-mod which takes certs in yet another format, I've added a "Base64-encoded DER certificates" section as well.

== Affected commands ==

IPA's cert plugin and cert-* commands will not be available at all.
Calling them will result in CommandError (code 905)
No online help will be available on them, or on the "cert" topic.

Certificates removed from LDAP will not be automatically revoked. This
affects the following commands:

* host-del
* host-mod
* host-disable
* service-del
* service-mod
* service-disable

== Clients ==

Clients in a CA-less IPA installation will work normally, except
host certificates will not be assigned automatically.

Older clients configure certmonger to obtain the host certificate, which
will fail, with the folloging line apparing periodically in the system log:

Server failed request, will retry: 905 (RPC failed at server. unknown command 'cert_request').

The errors can be stopped by issuing:

    # getcert list  # to find out the certmonger request ID
    # getcert stop-tracking <ID of offending request>

If needed, machine certificates may be obtained from the external CA and added
to the server with:

    ipa host-mod <hostname> --certificate <base64-encoded DER cert>


=== Base64-encoded DER certificates ===

The letters and symbols between a PEM file's BEGIN CERTIFICATE and
END CERTIFICATE markers are a base64-encoded DER-encoded X.509 certificate.
To convert between PEM and base64-encoded DER, just add or remove the markers
in a text editor.


Freeipa-devel mailing list

Reply via email to