[Freeipa-users] Certs.
Rob Crittenden
rcritten at redhat.com
Thu Sep 18 00:24:53 UTC 2014
Walid wrote:
> Hi Rob,
>
> Self signed IPA certificate i saw it is 20 years, however how about the
> client nodes renewal, i see here it is automated, how, and when
For renewed CA certificate distribution, we are working on it in ticket
https://fedorahosted.org/freeipa/ticket/4322
For any server certificates on a client then certmonger is the way to
go, and is our recommended mechanism. It will monitor and automatically
renew any certificates installed (well, any it has permission to renew).
rob
>
> On 16 September 2014 20:13, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Walid wrote:
>
> Hi Dmitri,
>
> I am interested in the renewal process, how would that happen for
> clients, and when would it happen?
>
>
> It depends on what scenario you're talking about (self-signed IPA
> cert, IPA as subordinate, user-provided certificates), and what
> certs you mean.
>
> rob
>
>
> On 11 September 2014 03:01, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>
> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>> wrote:
>
> On 09/10/2014 07:57 PM, William Graboyes wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi Dmitri,
>
> Production Environment is going to be RH 6.5, We are still
> evaluating
> the usage of systemd. More like we are taking a wait
> and see
> approach
> to to systemd, while actively testing it.
>
> The command line options for chaining are there from day one.
> So you would need to chain your production environment when you
> deploy it.
> In future when you migrate to later versions (in couple of
> years or
> so) you will be able to change the chaining using the new
> tools.
> Right now it is a vary hard multi step manual procedure.
> This is why
> we developed the tool.
> But you should be all set for now. You would not need to change
> anything for several years.
>
> Thanks
> Dmitri
>
>
>
> Thanks,
> Bill
>
> On Wed Sep 10 16:49:24 2014, Dmitri Pal wrote:
>
> On 09/10/2014 07:26 PM, William Graboyes wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi Chris,
>
> Thank you for the suggestion. Looking at
> http://www.redhat.com/____archives/freeipa-users/2014-____August/msg00334.html
> <http://www.redhat.com/__archives/freeipa-users/2014-__August/msg00334.html>
>
> <http://www.redhat.com/__archives/freeipa-users/2014-__August/msg00334.html
> <http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html>>
>
> Installing a new, third party cert requires a
> reinstall
> of IPA? IPA
> Devs, that is a bit silly don't you think? A
> year or
> two in the cert
> expires, now you have to start from scratch? I
> will
> wait for some form
> of response before I attempt at eating crow in
> front of
> management.
>
> I forgot to mention, free-ipa version
> ipa-server-3.0.0-37.el6.x86_____64.
>
> Since 3.0 internal certs are issued for 2 years and
> are renewed
> automatically. The root cert is valid for more than two
> years (AFAIR
> it is 20).
>
>
>
>
>
> On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:
>
> Search the list for a post by me and certs...
> Basically there is a
> install
> flag that will do all the work for you once
> you have
> it the cert in the
> right format.
> On Sep 10, 2014 5:53 PM, "William Graboyes"
> <wgraboyes at cenic.org
> <mailto:wgraboyes at cenic.org> <mailto:wgraboyes at cenic.org
> <mailto:wgraboyes at cenic.org>>>
> wrote:
>
> ********* *BEGIN ENCRYPTED or SIGNED PART*
> *********
>
> Hello list,
>
> I have been fruitlessly searching for some
> information, especially
> related to Certs, namely how to replace the
> self
> signed certs with
> certs from a trusted CA? As we are moving
> forward into
> productionizing of our free-ipa install, I am
> finding information on
> the net to be a bit lacking. There is also the
> possibility that I am
> not looking in the right places, or using the
> correct search terms.
> Any help on this front would be greatly
> appreciated.
>
> Thanks,
> Bill
>
>
> ********** *END ENCRYPTED or SIGNED PART*
> **********
>
> --
> Manage your subscription for the
> Freeipa-users
> mailing list:
> https://www.redhat.com/____mailman/listinfo/freeipa-users
> <https://www.redhat.com/__mailman/listinfo/freeipa-users>
>
> <https://www.redhat.com/__mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>__>
> Go To http://freeipa.org for more info
> on the
> project
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - https://gpgtools.org
> Comment: Using GnuPG with Thunderbird -
> http://www.enigmail.net/
>
>
> iQIcBAEBCgAGBQJUEN4JAAoJEJFMz7____3A1+zrjNAP/____1aZOjhp6c6JwWXUjBE4Pt4i
>
> u6Z1BRFNYgIc5/____aNsPAKrdzMqQgTjgWJvSh5UCON0Vdm____uIx7pQLP7nIlaCCXTRRK
>
> pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5____Wd3+____VJdQ6ugYJTpVS4gMxh8atZCV613EY6
>
> FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pU______sJzW3zzB271i6sJqAMZTh7Lrie6QcG____qAON
>
> eLGlWBZuCaeULUuQmArVZiP3qPnH5N____uccvXLFVbX7D1+____SM8XeLWrTklN1bfX2HF0
>
> QCFlizb+bBga/____d5cEaCv7R8v6m46R4wS779KSUV1jn9____PpHISNcmLafv6dTAb6F+5
>
> RBADwBP6coh5LrOJJh0pIByx9dYRbd____if/BSH4VMcvfvFMs/____EO1PAsGLWQPwoNfYO
>
> 0SzUV1R47JW9NGzeTxja+____byKz9hwGtAT2FIw0NibR+____M1FydPD9k3LTjTnQWgeSro
>
> ks3AUPDy/hj+E72QDORj+/____Zvy3sw8wDFVRw2LH/____jaDmWbWhZUG4riC3w2egPjcSK
>
> KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+______iTgqyssr54RufVuM9iBNOkoWxxI0Q9____oyMF
>
> NDKiOY8rs2rBu6x09NiHG0BoX1LQzr______rKQFQ4ao48w2RH3ocFCgQbsEHZ18uI____fo4Y
> CB5M63nykETHkkR3ZFkd
> =8T1Y
> -----END PGP SIGNATURE-----
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - https://gpgtools.org
> Comment: Using GnuPG with Thunderbird -
> http://www.enigmail.net/
>
>
> iQIcBAEBCgAGBQJUEOV8AAoJEJFMz7____3A1+zrgwAQAJkx74MPOVvbnrG+____dmY8w7ok
>
> J/6NWt9Rb/____pS9gRrN7iFopni3BoHuLFC6ltwD6Ko____WllYClwoXke4T0FQ/nU6Ar6M
>
> tsuQMYxP0boxhQua2uF/kZ/____atMolxoNMShNixXd4dnWtBlpl+R+____V58FtfjSGfy49
>
> qX2Ge6g6wEFATwKReM1KpKCFIfO/____yq/____wM4NLvvBd6WShJXh6TQBE44y9aXLLJ____IlP
>
> DApoLnMHaopNZITSNKt1t7dgw6ne9O______370nQwOxR5L0peH8bxla0FLJ57vX+____RCC0f
>
> 3EV/____tQHKiXET1RqWE927tfPf171Xcq7sdj______LRUL2JTVCK3zPZUuVg9WmuqrLUArhW
>
> f1XRpn1MM2e0xn18rvHfuRZr2IIUuP____E+RfVcQMgEcgtSYuDNlVYCO/____ONyTQHxJ/E
>
> JRkN6nDOZ1nlItJlrrT0MVgdMKQLG7____IxkvOndGsyOShD/____XvvjQYlQbDvRvodnAlc
>
> JUIlcC3PbGZh+____CRymXzu6M7DYceE5rJ/HzbR1UAPM/____dep1P6zA3WyTS15tzIJ93f
>
> pjLYTciDvPbTOfRTV+____1PQvvVDbHZve34wcjGZHaqV35qUQwX____cd/DQK18L8S7EmDx
>
> BeBmii/____cX2qBSyzDNGgSjtBTh0AT67tpJQPnH____7brsVc9S75+E/MyDqXZjqiJv/9N
> i22XgsD/iTzkP3o0OTjs
> =FKVl
> -----END PGP SIGNATURE-----
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/____mailman/listinfo/freeipa-users
> <https://www.redhat.com/__mailman/listinfo/freeipa-users>
> <https://www.redhat.com/__mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>__>
> Go To http://freeipa.org for more info on the project
>
>
>
>
>
>
More information about the Freeipa-users
mailing list