On Tue, Feb 19, 2013 at 7:35 AM, Natxo Asenjo <[email protected]> wrote: > hi, > > I posted this question to the centos list but I have not had a lot of > feedback, so allow me to ask it here as well. > > I need to deploy an internal CA to our hosts. The CA is up and running > as a part of an IPA infrastructure. Not all linux hosts (mainly redhat > based) are or will be part of the kerberos realm. > > Fedora is planning something I could use now > http://fedoraproject.org/wiki/Features/SharedSystemCertificates but it > is not there yet ;-) > > I already have a deploying infrastructure (cfengine), so my question > is: what files do I need to move around for a systemwide installation? > > The obvious start point will be /etc/PKI/ but in there in a random > client I already see some problems: > > ls -l /etc/pki/ > total 28 > drwxr-xr-x. 6 root root 4096 Aug 23 06:55 CA > drwxr-xr-x. 4 root root 4096 Mar 13 2012 dovecot > drwxr-xr-x. 2 root root 4096 Mar 11 2012 java > drwxr-xr-x. 2 root root 4096 Feb 8 10:46 nssdb > drwxr-xr-x. 2 root root 4096 Oct 25 23:06 rpm-gpg > drwx------. 2 root root 4096 Jun 22 2012 rsyslog > drwxr-xr-x. 5 root root 4096 Oct 25 23:07 tls > > For ldap queries, I need to add it in /etc/openldap/certs and run > cacertdir_rehash.
SSL certicificates are associated with specific applications, so there's no surprise here. Also,some of the contents in /etc/pki are for GPG keys, not SSL certificates (such as /etc/pki/rpm-gpg). And others are for applications that probably don't need this unless you're going to a lot of work, such as "/etc/pki/dovecot". And some are the root certificates for Mozilla designated upstream signature authorities, such as /etc/pki/java/cacerts and /etc/pki/tls/cacerts/* Unfortunately, each application handles the certificicates individually, so you really have to deal on an application by application basis with these. Which *application* are you using IPA for ? Just Kerberos authentication, or full account management, or what?
