On 06/13/2014 02:55 PM, Simo Sorce wrote: > On Fri, 2014-06-13 at 09:05 +0200, Martin Kosek wrote: >> On 06/12/2014 07:45 PM, Jan Cholasta wrote: >> ... >>> Note that automatic distribution of CA certificates to IPA systems is not >>> implemented yet (it's planned for IPA 4.2, see >>> <https://fedorahosted.org/freeipa/ticket/4322>), so /etc/ipa/ca.crt, >>> /etc/pki/nssdb, /etc/dirsrv/slapd-REALM and /etc/httpd/alias are updated >>> *only* >>> during client/server install. >>> >>> Honza >> >> For 4.0, we will need to come up with manual procedure how to renew the >> certificates *without* reinstalling the client or server. >> >> I think the best way would be to prepare a simple script to renew >> client/server, something like >> >> /usr/share/ipa/ipa-renew-client-certificate >> /usr/share/ipa/ipa-renew-server-certificate > > I assume you mean /usr/bin or /usr/libexec/ipa ?
Right, that's better. I think we do not want to store it in /usr/bin as fully supported scripts as I would feel obliged to keep that scripts supported and around even when automatic renewal is available in FreeIPA 4.2. So maybe /usr/libexec/ipa would be better. > >> and refer to it in the ipa-cacert-manage man page. People could then pretty >> easily run those after a cert change, using whatever means their >> infrastructure >> uses - puppet, ssh, ... _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel