Natxo Asenjo wrote:
> hi,
> On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden <
> <>> wrote:
>     Yes, you don't need to obtain a machine certificate. In fact we have
>     stopped doing this upstream.
> Do you mean ipa will not have a CA in the future? Or will it be
> optional? Or am I misunderstanding this :-) ? I quite like the CA stuff
> in ipa, actually.

No, don't worry, the CA isn't going anywhere :-)

On the client right now we retrieve a certificate for host identity and
store it in /etc/pki/nssdb. We did this for future proofing and here we
are, pretty far in the future, and we've never used it. So we decided to
stop generating it.

If on the off chance it turns out we're wrong and someone has actually
found a use for that certificate it can be quite easily generated using
ipa-getcert after the client is enrolled.


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to