On Mon, Dec 03, 2018 at 06:23:04PM -0500, Rob Foehl via FreeIPA-users wrote: > Are there any practical differences between IPA-issued certificates for > hosts and services (ipa-getcert -K service/hostname for the latter), if > they're only being used to identify the host in a non-Kerberos-aware TLS > context? > > I'd like to omit the service management if it's not useful in this case. > No significant differences for most use cases. If using only host principals works for you, go ahead.
The main drawback is if you have a lot of different certs, it blows up the size of the host object in LDAP. (True of services too, but if you are using service principals you won't need so many certs on a single object). Cheers, Fraser > -Rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org