Re: [Freeipa-devel] [PATCH 0001] ipa-server-certinstall should not tell certmonger to track 3rd party certificates

2016-02-07 Thread Thorsten Scherf

On [Wed, 13.01.2016 07:47], Jan Cholasta wrote:

Hi Thorsten,

thanks for the patch, but unfortunately it isn't as simple as this - 
if the provided certificate was issued by our CA, we should still 
track it.


As part of installer improvements in 4.4, we plan to always track all 
certificates, even 3rd party ones (this way we can have the same 
certmonger configuration everywhere, plus the user will be at least 
warned when the certificate is about to expire), which will also fix 
this issue.


Does that sound OK?


Yes, when the user gets a warning for certs which have been issued by
3rd party CAs in case they are going to expire, then it indeed does make
sense to have them tracked by certmonger.

Cheers,
Thorsten



signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0001] ipa-server-certinstall should not tell certmonger to track 3rd party certificates

2016-01-12 Thread Jan Cholasta

Hi Thorsten,

thanks for the patch, but unfortunately it isn't as simple as this - if 
the provided certificate was issued by our CA, we should still track it.


As part of installer improvements in 4.4, we plan to always track all 
certificates, even 3rd party ones (this way we can have the same 
certmonger configuration everywhere, plus the user will be at least 
warned when the certificate is about to expire), which will also fix 
this issue.


Does that sound OK?

Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code