Natxo Asenjo wrote:
> hi,
> 
> On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> 
>     Natxo Asenjo wrote:
>     > hi,
>     >
>     > On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden <rcrit...@redhat.com 
> <mailto:rcrit...@redhat.com>
>     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
>     >
>     >
>     >     Yes, you don't need to obtain a machine certificate. In fact we have
>     >     stopped doing this upstream.
>     >
>     >
>     > Do you mean ipa will not have a CA in the future? Or will it be
>     > optional? Or am I misunderstanding this :-) ? I quite like the CA stuff
>     > in ipa, actually.
>     >
> 
>     No, don't worry, the CA isn't going anywhere :-)
> 
>     On the client right now we retrieve a certificate for host identity and
>     store it in /etc/pki/nssdb. We did this for future proofing and here we
>     are, pretty far in the future, and we've never used it. So we decided to
>     stop generating it.
> 
>     If on the off chance it turns out we're wrong and someone has actually
>     found a use for that certificate it can be quite easily generated using
>     ipa-getcert after the client is enrolled.
> 
> 
> ok. I was thinking on starting a pilot with dot1.x and hosts
> certificates are usually used for this, so it would be nice  to have a
> cli switch during enrollment.

Ok, do you have a preference on where the cert would be installed?
Currently it is added to /etc/pki/nssdb but we were going to move it to
/etc/ipa/nssdb before deciding to drop it altogether. I think if we
restore the functionality we'll use the later database.

I filed https://fedorahosted.org/freeipa/ticket/4550
rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to