[Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode
Petr Spacek
pspacek at redhat.com
Fri Jul 8 13:37:17 UTC 2016
On 8.7.2016 15:31, Rob Crittenden wrote:
> Petr Spacek wrote:
>> Hi,
>>
>> our docs
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca
>>
>>
>> claim this:
>> "The certmonger service is not used to track certificates. Therefore, it does
>> not warn you of impending certificate expiration."
>>
>> Is this correct?
>>
>> Can we at least configure certmonger to passively track the certificates and
>> throw warning about impending expiration into logs?
>>
>
> Throw a warning where? Register an e-mail address as part of the tracking
> perhaps?
>
> It would probably be fairly easy to write a "CA" that sends an e-mail. The
> trick, and this has always tripped us up, is having an MTA configured.
I would start with logs, as I wrote in the original message. This will
naturally evolve into something else when we finally get user-configurable hooks.
In any case, having certmonger configured to track the certs is prerequisite
for all cases...
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list