>From: Dmitri Pal <d...@redhat.com>
>Let us teake one a time.
>Dogtag is the certificate system.
>Web services and many other servers use certificates for SSL/TLS peer-to-peer
>confidentiality and authentication.
>The certificates needs to be issued so IPA can issue certs for those services
>in your environment.
>There is a client component called certmonger. Certmonger can track the
>expiration of the certs and connects to IPA automatically to acquire a new
>cert.>There will be more certificate related features over time. They would
>include support of pkinit, issuance and management of the user certificates
>and many others.
>Some of the work started but not complete, this why you might notice
>pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file.
>>>Hope it clarifies things.
Thanks. That's pretty clear. certmonger and Dogtag could be a very useful
For my case, where internal/outside company web servers already have external
certified 3-year wildcard certificates, and IPA/LDAP servers have the
dogtag/certmonger installed for them, maybe I can put off installing host
certificates and certmonger services on other IPA clients to save a few CPU
Sure I can turn certmonger on and create host certificates anytime as long as
needs pop up later.>
>What is the reason for manually configuring the client?
The main purposes here is company policy. we use central config management
systems to push out config files and etc. Basically we did it for seperate
Kerberos and LDAP solutions, and not it is required to do that for IPA solution
as well. Another benefit is, as long as I know how to do it manually, hen in
case the compo script ipa-client-install is a overkill, I can do subcomponent
Freeipa-users mailing list