[Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode
Rob Crittenden
rcritten at redhat.com
Fri Jul 8 13:59:12 UTC 2016
Petr Spacek wrote:
> On 8.7.2016 15:31, Rob Crittenden wrote:
>> Petr Spacek wrote:
>>> Hi,
>>>
>>> our docs
>>>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca
>>>
>>>
>>> claim this:
>>> "The certmonger service is not used to track certificates. Therefore, it does
>>> not warn you of impending certificate expiration."
>>>
>>> Is this correct?
>>>
>>> Can we at least configure certmonger to passively track the certificates and
>>> throw warning about impending expiration into logs?
>>>
>>
>> Throw a warning where? Register an e-mail address as part of the tracking
>> perhaps?
>>
>> It would probably be fairly easy to write a "CA" that sends an e-mail. The
>> trick, and this has always tripped us up, is having an MTA configured.
>
> I would start with logs, as I wrote in the original message. This will
> naturally evolve into something else when we finally get user-configurable hooks.
>
> In any case, having certmonger configured to track the certs is prerequisite
> for all cases...
"Logs" is not very specific, do you mean syslog/journal?
Feel free to open an RFE against certmonger with your proposal. I
suspect that anything logged will just get lost in most cases.
rob
More information about the Freeipa-devel
mailing list