On 04/27/2012 03:05 PM, David Copperfield wrote: > >From: Dmitri Pal <d...@redhat.com> > >> > > > >Let us teake one a time. > >Dogtag is the certificate system. > >Web services and many other servers use certificates for SSL/TLS > peer-to-peer confidentiality and authentication. > >The certificates needs to be issued so IPA can issue certs for those > services in your environment. > >There is a client component called certmonger. Certmonger can track > the expiration of the certs and connects to IPA automatically to > acquire a new cert.>There will be more certificate related features > over time. They would include support of pkinit, issuance and > management of the user certificates and many others. > >Some of the work started but not complete, this why you might notice > pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. > >>>Hope it clarifies things. > > > Thanks. That's pretty clear. certmonger and Dogtag could be a very > useful combination. > For my case, where internal/outside company web servers already have > external certified 3-year wildcard certificates, and IPA/LDAP servers > have the dogtag/certmonger installed for them, maybe I can put off > installing host certificates and certmonger services on other IPA > clients to save a few CPU cycles now? > Up to you.
> Sure I can turn certmonger on and create host certificates anytime as > long as needs pop up later.> > >What is the reason for manually configuring the client? > > The main purposes here is company policy. we use central config > management systems to push out config files and etc. Basically we did > it for seperate Kerberos and LDAP solutions, and not it is required to > do that for IPA solution as well. Another benefit is, as long as I > know how to do it manually, hen in case the compo script > ipa-client-install is a overkill, I can do subcomponent only. May be it would be helpful to share your experience on a IPA wiki page for others for follow with the similar use cases? Do you have something that I can post there? If you found anything missing in the documentation please file a BZ or ticket in upstream trac. > > Thanks. > > --David -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users