Genadi Postrilko wrote:
Hello all.
I'm trying to understand the use of the certificates in the
communication between an IPA client and server.
The documentation describes the retrieval of CA certificate while client
setup:
"Retrieve the CA certificate for the IdM CA"
And retrieval of SSL server certificate:
"Enable certmonger, retrieve an SSL server certificate, and install the
certificate in |/etc/pki/nssdb"|
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/setting-up-clients.html#what-happens-clients
From my understanding the authentication in IPA environment is kerberos
based, therefore the client and server share a "secret" that allows the
user to authenticate himself to the server and vice versa.
Where comes the need for certificate? Some of the IPA server services
are not kerberized?
Kerberos over HTTP requires SSL which is why the CA is retrieved and
installed.
We don't currently use the machine certificate. This was for
future-proofing.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
