Erinn Looney-Triggs wrote:
On 07/12/2013 01:19 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
Is there a reason that ipa-client-install does not add the CA of the IPA
server to the ca-bundle.crt file in /etc/pki/certs/?

Seems like it would be a reasonable move to do that.

I know it imports the CA into /etc/pki/nssdb.

Hopefully I didn't miss something that allows it to. But I wanted to
check if there was a good reason for it not to before going and filing
an RFE.

We will as part of the shared system certificates effort,
http://fedoraproject.org/wiki/Features/SharedSystemCertificates Our
ticket is https://fedorahosted.org/freeipa/ticket/3504

They are working on tools to make managing these certificates easier for
F-20.

rob



Yeah I saw that effort for F19, I think it is excellent and well time
for it. Glad to know it is on the radar. For those of us in RHEL land at
least for now, it looks like this won't help.

Yeah, sorry about that. The problem is this is one big blob of certs. In theory it should be relatively easy to script up something to safely add/remove certs from it, but there are issues like updating the ca-certificates package would over-write any changes we made. So it's the sort of thing that works, then it doesn't, and is really hard to pin down why.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to