[Freeipa-users] using wildcard or other external CA certs
Dmitri Pal
dpal at redhat.com
Wed Jan 23 20:58:49 UTC 2013
On 01/23/2013 03:45 PM, Orion Poplawski wrote:
> On 01/23/2013 01:43 PM, Dmitri Pal wrote:
>> Yes please. Let us do it on the user list.
>>
>> Ticket URL:<https://fedorahosted.org/freeipa/ticket/3360#comment:14>
>
> So, my goal in using a wildcard cert signed by a "well known" CA was
> to be able to avoid installing the IPA CA in clients like Thunderbird
> and Firefox. Thoughts, comments, suggestions?
>
When you enroll the client we deliver the IPA CA cert to it and store it
in every cert store we can AFAIU. But I will leave to Rob to comment on
that.
There is also a new feature in Fedora to consolidate the certificate
store for different components:
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
It is the step into the right direction. Once it is implemented we would
be able to place IPA cert there during enrollment.
FF users have to accept IPA cert when they hit IPA self service the
first time.
I do not see a way around placing the certs into the right stores but
may be I am missing something. You can probably use something like
puppet to deliver it but isn't the cert store for FF in the user home
directory? It might not be available for puppet or any other central
tool to mess with.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list