On 8.7.2016 15:59, Rob Crittenden wrote:
Petr Spacek wrote:
On 8.7.2016 15:31, Rob Crittenden wrote:
Petr Spacek wrote:
Hi,

our docs

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca



claim this:
"The certmonger service is not used to track certificates.
Therefore, it does
not warn you of impending certificate expiration."

Is this correct?

Can we at least configure certmonger to passively track the
certificates and
throw warning about impending expiration into logs?

+1, I have already suggested we do this several times.



Throw a warning where? Register an e-mail address as part of the
tracking
perhaps?

It would probably be fairly easy to write a "CA" that sends an
e-mail. The
trick, and this has always tripped us up, is having an MTA configured.

I would start with logs, as I wrote in the original message. This will
naturally evolve into something else when we finally get
user-configurable hooks.

In any case, having certmonger configured to track the certs is
prerequisite
for all cases...

"Logs" is not very specific, do you mean syslog/journal?

Feel free to open an RFE against certmonger with your proposal. I
suspect that anything logged will just get lost in most cases.

For IPA CA certificate, we log warnings to syslog with ALERT level. I think doing that for other certs would be good enough for starters.


rob



--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to