On Fri, 2014-06-13 at 09:05 +0200, Martin Kosek wrote:
> On 06/12/2014 07:45 PM, Jan Cholasta wrote:
> ...
> > Note that automatic distribution of CA certificates to IPA systems is not
> > implemented yet (it's planned for IPA 4.2, see
> > <https://fedorahosted.org/freeipa/ticket/4322>), so /etc/ipa/ca.crt,
> > /etc/pki/nssdb, /etc/dirsrv/slapd-REALM and /etc/httpd/alias are updated 
> > *only*
> > during client/server install.
> > 
> > Honza
> 
> For 4.0, we will need to come up with manual procedure how to renew the
> certificates *without* reinstalling the client or server.
> 
> I think the best way would be to prepare a simple script to renew
> client/server, something like
> 
> /usr/share/ipa/ipa-renew-client-certificate
> /usr/share/ipa/ipa-renew-server-certificate

I assume you mean /usr/bin or /usr/libexec/ipa ?

> and refer to it in the ipa-cacert-manage man page. People could then pretty
> easily run those after a cert change, using whatever means their 
> infrastructure
> uses - puppet, ssh, ...


-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to