[Freeipa-devel] [RFE] CA-less install
Petr Viktorin
pviktori at redhat.com
Fri Mar 29 15:41:32 UTC 2013
On 03/22/2013 01:10 PM, Petr Viktorin wrote:
> The design page for CA-less installation with user-provided SSL certs is
> available at http://freeipa.org/page/V3/CA-less_install. I've also
> copied it to this mail.
>
> Does it answer all your questions?
>
I have added "Affected commands" and "Clients" sections to the RFE.
Since I mentioned host-mod which takes certs in yet another format, I've
added a "Base64-encoded DER certificates" section as well.
== Affected commands ==
IPA's cert plugin and cert-* commands will not be available at all.
Calling them will result in CommandError (code 905)
No online help will be available on them, or on the "cert" topic.
Certificates removed from LDAP will not be automatically revoked. This
affects the following commands:
* host-del
* host-mod
* host-disable
* service-del
* service-mod
* service-disable
== Clients ==
Clients in a CA-less IPA installation will work normally, except
host certificates will not be assigned automatically.
Older clients configure certmonger to obtain the host certificate, which
will fail, with the folloging line apparing periodically in the system log:
Server failed request, will retry: 905 (RPC failed at server.
unknown command 'cert_request').
The errors can be stopped by issuing:
# getcert list # to find out the certmonger request ID
# getcert stop-tracking <ID of offending request>
If needed, machine certificates may be obtained from the external CA and
added
to the server with:
ipa host-mod <hostname> --certificate <base64-encoded DER cert>
---
=== Base64-encoded DER certificates ===
The letters and symbols between a PEM file's BEGIN CERTIFICATE and
END CERTIFICATE markers are a base64-encoded DER-encoded X.509 certificate.
To convert between PEM and base64-encoded DER, just add or remove the
markers
in a text editor.
--
Petr³
More information about the Freeipa-devel
mailing list