Walid A. Shaari wrote:
> Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3
Sure, the cert isn't used anyway but it isn't optional to have
certmonger try to get one.
If you really care you can run a command to tell certmonger to stop
tracking the cert though:
# ipa-getcert stop-tracking -d /etc/pki/nssdb -n 'IPA Machine
Certificate - client.example.com'
That doesn't remove the certificate from the database. If you want to do
# certutil -D -d /etc/pki/nssdb/ -n 'IPA Machine Certificate -
And you might to revoke the cert. To do that you'd use ipa cert-revoke
<serial number>. You need pretty high privileges to do that though
(admin has them).
> On 18 September 2014 17:43, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> Walid A. Shaari wrote:
> > Hi,
> > we are going to have a use case of diskless HPC clients that will use
> > the IPA for lookups, I was wondering if i can get rid of the
> > state-fulness of the client configuration as much as possible as it is
> > more of a cattle than pets use case. that is i do not need to know
> > the client is part of the domain, no need to enroll a node with a
> > certificate. and services will be mostly hpc mpi and ssh, not required
> > to have an SSL certificate for secure communication. is it possible to
> > get rid of the client certificate and the requirements for clients to
> > enroll? or there are other uses for the certificate that i am not
> aware of ?
> Yes, you don't need to obtain a machine certificate. In fact we have
> stopped doing this upstream.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project