[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode



Petr Spacek wrote:
On 8.7.2016 15:31, Rob Crittenden wrote:
Petr Spacek wrote:
Hi,

our docs

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca


claim this:
"The certmonger service is not used to track certificates. Therefore, it does
not warn you of impending certificate expiration."

Is this correct?

Can we at least configure certmonger to passively track the certificates and
throw warning about impending expiration into logs?


Throw a warning where? Register an e-mail address as part of the tracking
perhaps?

It would probably be fairly easy to write a "CA" that sends an e-mail. The
trick, and this has always tripped us up, is having an MTA configured.

I would start with logs, as I wrote in the original message. This will
naturally evolve into something else when we finally get user-configurable hooks.

In any case, having certmonger configured to track the certs is prerequisite
for all cases...

"Logs" is not very specific, do you mean syslog/journal?

Feel free to open an RFE against certmonger with your proposal. I suspect that anything logged will just get lost in most cases.

rob


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]