On Tue, Feb 19, 2013 at 1:13 PM, Natxo Asenjo <[email protected]> wrote: > On Tue, Feb 19, 2013 at 3:19 PM, Nico Kadel-Garcia <[email protected]> wrote: > >> SSL certicificates are associated with specific applications, so >> there's no surprise here. Also,some of the contents in /etc/pki are >> for GPG keys, not SSL certificates (such as /etc/pki/rpm-gpg). And >> others are for applications that probably don't need this unless >> you're going to a lot of work, such as "/etc/pki/dovecot". And some >> are the root certificates for Mozilla designated upstream signature >> authorities, such as /etc/pki/java/cacerts and /etc/pki/tls/cacerts/* >> >> Unfortunately, each application handles the certificicates >> individually, so you really have to deal on an application by >> application basis with these. >> >> Which *application* are you using IPA for ? Just Kerberos >> authentication, or full account management, or what? > > the total package, including soon a cross realm trust with an AD > infrastructure. > > I am starting to think that maybe a wildcard certificate might just be > easier and cheaper ...
Yeah, I'm a bit concerned about IPA. It sounds like a great idea to integrate and harden those services, but I've done Kerberos and LDAP migrations. With Samba 4 out and working, I'm not sure there's a big market for it. And I definitely expect Samba 4 to work with SL 7. (I'm writing rebundling SRPM's for Samba 4.0.3 on SL 6 right now.....)
