[Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode
Jan Cholasta
jcholast at redhat.com
Mon Jul 18 06:22:58 UTC 2016
On 8.7.2016 15:59, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 8.7.2016 15:31, Rob Crittenden wrote:
>>> Petr Spacek wrote:
>>>> Hi,
>>>>
>>>> our docs
>>>>
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca
>>>>
>>>>
>>>>
>>>> claim this:
>>>> "The certmonger service is not used to track certificates.
>>>> Therefore, it does
>>>> not warn you of impending certificate expiration."
>>>>
>>>> Is this correct?
>>>>
>>>> Can we at least configure certmonger to passively track the
>>>> certificates and
>>>> throw warning about impending expiration into logs?
+1, I have already suggested we do this several times.
>>>>
>>>
>>> Throw a warning where? Register an e-mail address as part of the
>>> tracking
>>> perhaps?
>>>
>>> It would probably be fairly easy to write a "CA" that sends an
>>> e-mail. The
>>> trick, and this has always tripped us up, is having an MTA configured.
>>
>> I would start with logs, as I wrote in the original message. This will
>> naturally evolve into something else when we finally get
>> user-configurable hooks.
>>
>> In any case, having certmonger configured to track the certs is
>> prerequisite
>> for all cases...
>
> "Logs" is not very specific, do you mean syslog/journal?
>
> Feel free to open an RFE against certmonger with your proposal. I
> suspect that anything logged will just get lost in most cases.
For IPA CA certificate, we log warnings to syslog with ALERT level. I
think doing that for other certs would be good enough for starters.
>
> rob
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list