>From: Dmitri Pal <d...@redhat.com>
>>
>
>Let us teake one a time.
>Dogtag is the certificate system.
>Web services and many other servers use certificates for SSL/TLS peer-to-peer 
>confidentiality and authentication.
>The certificates needs to be issued so IPA can issue certs for those services 
>in your environment.
>There is a client component called certmonger. Certmonger can track the 
>expiration of the certs and connects to IPA automatically to acquire a new 
>cert.>There will be more certificate related features over time. They would 
>include support of pkinit, issuance and management of the user certificates 
>and many others.
>Some of the work started but not complete, this why you might notice 
>pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file.
>>>Hope it clarifies things.
>
Thanks. That's pretty clear. certmonger and Dogtag could be a very useful 
combination.
For my case, where internal/outside company web servers already have external 
certified 3-year wildcard certificates, and IPA/LDAP servers have the 
dogtag/certmonger installed for them, maybe I can put off installing host 
certificates and certmonger services on other IPA clients to save a few CPU 
cycles now?

Sure I can turn certmonger on and create host certificates anytime as long as 
needs pop up later.>
>What is the reason for manually configuring the client?

The main purposes here is company policy. we use central config management 
systems to push out config files and etc. Basically we did it for seperate 
Kerberos and LDAP solutions, and not it is required to do that for IPA solution 
as well. Another benefit is, as long as I know how to do it manually, hen in 
case the compo script ipa-client-install is a overkill, I can do subcomponent 
only.

Thanks.

--David
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to