Kathy Zhu via FreeIPA-users wrote: > Hi Team, > > I like to understand more about the /root/cacert.p12 file in a self > signed CA environment. Here are the questions: > > 1, could this file be located somewhere other than under /root? > 2, what operations use this file instead of nssdb? In other words, if > the /root/cacert.p12 file were not in place, what operations would fail? > 3, any good readings to learn more?
This is not operational. It is a backup of your CA keys in case something catastrophic happens, created at time of initial server installation. Depending IPA version you don't need it at all. Early versions would use this file to prepare replicas. We ended up instead calling PKCS12Export to generate a new one prior to replica creation. I don't think it is really used with domain-level 1 at all, so any version released in the last 5 years or so. It is an artifact that comes out of the CA installation. It's in /root to provide the best possible protection for the file. The default /var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12. We move it. You might find information about it in the RHCS documentation. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
