On 07/12/2013 01:25 PM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> On 07/12/2013 01:19 PM, Rob Crittenden wrote: >>> Erinn Looney-Triggs wrote: >>>> Is there a reason that ipa-client-install does not add the CA of the >>>> IPA >>>> server to the ca-bundle.crt file in /etc/pki/certs/? >>>> >>>> Seems like it would be a reasonable move to do that. >>>> >>>> I know it imports the CA into /etc/pki/nssdb. >>>> >>>> Hopefully I didn't miss something that allows it to. But I wanted to >>>> check if there was a good reason for it not to before going and filing >>>> an RFE. >>> >>> We will as part of the shared system certificates effort, >>> http://fedoraproject.org/wiki/Features/SharedSystemCertificates Our >>> ticket is https://fedorahosted.org/freeipa/ticket/3504 >>> >>> They are working on tools to make managing these certificates easier for >>> F-20. >>> >>> rob >>> >>> >> >> Yeah I saw that effort for F19, I think it is excellent and well time >> for it. Glad to know it is on the radar. For those of us in RHEL land at >> least for now, it looks like this won't help. > > Yeah, sorry about that. The problem is this is one big blob of certs. In > theory it should be relatively easy to script up something to safely > add/remove certs from it, but there are issues like updating the > ca-certificates package would over-write any changes we made. So it's > the sort of thing that works, then it doesn't, and is really hard to pin > down why. > > rob >
Yep understood, that is they way the cookie crumbles sometimes. Again just glad it is on the radar and that things are becoming more centralized. Certificate management has been, in the past, a real pain point for me. -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
