[Freeipa-devel] [PATCHES] 267-294 Support multiple CA certificates in LDAP
Martin Kosek
mkosek at redhat.com
Fri Jun 13 07:05:50 UTC 2014
On 06/12/2014 07:45 PM, Jan Cholasta wrote:
...
> Note that automatic distribution of CA certificates to IPA systems is not
> implemented yet (it's planned for IPA 4.2, see
> <https://fedorahosted.org/freeipa/ticket/4322>), so /etc/ipa/ca.crt,
> /etc/pki/nssdb, /etc/dirsrv/slapd-REALM and /etc/httpd/alias are updated *only*
> during client/server install.
>
> Honza
For 4.0, we will need to come up with manual procedure how to renew the
certificates *without* reinstalling the client or server.
I think the best way would be to prepare a simple script to renew
client/server, something like
/usr/share/ipa/ipa-renew-client-certificate
/usr/share/ipa/ipa-renew-server-certificate
and refer to it in the ipa-cacert-manage man page. People could then pretty
easily run those after a cert change, using whatever means their infrastructure
uses - puppet, ssh, ...
Martin
More information about the Freeipa-devel
mailing list