Walid A. Shaari wrote:
> Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3
> clients?

Sure, the cert isn't used anyway but it isn't optional to have
certmonger try to get one.

If you really care you can run a command to tell certmonger to stop
tracking the cert though:

# ipa-getcert stop-tracking -d /etc/pki/nssdb -n 'IPA Machine
Certificate - client.example.com'

That doesn't remove the certificate from the database. If you want to do
that do:

# certutil -D -d /etc/pki/nssdb/ -n 'IPA Machine Certificate -

And you might to revoke the cert. To do that you'd use ipa cert-revoke
<serial number>. You need pretty high privileges to do that though
(admin has them).


> On 18 September 2014 17:43, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
>     Walid A. Shaari wrote:
>     > Hi,
>     >
>     > we are going to have a use case of diskless HPC clients that will use
>     > the IPA for lookups, I was wondering if i can get rid of the
>     > state-fulness of the client configuration as much as possible as it is
>     > more of a cattle than pets use case. that is i do not need to know
>     that
>     > the client is part of the domain, no need to enroll a node with a
>     > certificate. and services will be mostly hpc mpi and ssh, not required
>     > to have an SSL certificate for secure communication. is it possible to
>     > get rid of the client certificate and the requirements for clients to
>     > enroll? or there are other uses for the certificate that i am not
>     aware of ?
>     Yes, you don't need to obtain a machine certificate. In fact we have
>     stopped doing this upstream.
>     rob

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to