[Freeipa-users] Client Certificate
Natxo Asenjo
natxo.asenjo at gmail.com
Thu Sep 18 20:20:54 UTC 2014
hi,
On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Natxo Asenjo wrote:
> > hi,
> >
> > On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> wrote:
> >
> >
> > Yes, you don't need to obtain a machine certificate. In fact we have
> > stopped doing this upstream.
> >
> >
> > Do you mean ipa will not have a CA in the future? Or will it be
> > optional? Or am I misunderstanding this :-) ? I quite like the CA stuff
> > in ipa, actually.
> >
>
> No, don't worry, the CA isn't going anywhere :-)
>
> On the client right now we retrieve a certificate for host identity and
> store it in /etc/pki/nssdb. We did this for future proofing and here we
> are, pretty far in the future, and we've never used it. So we decided to
> stop generating it.
>
> If on the off chance it turns out we're wrong and someone has actually
> found a use for that certificate it can be quite easily generated using
> ipa-getcert after the client is enrolled.
>
>
ok. I was thinking on starting a pilot with dot1.x and hosts certificates
are usually used for this, so it would be nice to have a cli switch during
enrollment.
--
groet,
natxo
--
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140918/41d0b6cf/attachment.htm>
More information about the Freeipa-users
mailing list