[Freeipa-devel] Multiple CA certificates in LDAP, questions
Jan Cholasta
jcholast at redhat.com
Fri Sep 13 09:05:39 UTC 2013
On 13.9.2013 10:53, Martin Kosek wrote:
> On 09/13/2013 10:51 AM, Jan Cholasta wrote:
>> On 5.9.2013 10:28, Jan Cholasta wrote:
>>> On 3.9.2013 18:16, Dmitri Pal wrote:
>>>> On 09/02/2013 04:49 AM, Petr Spacek wrote:
>>>>> It reminds me problems with key-rotation for DNSSEC.
>>>>>
>>>>> Could we find common problems and use the same/similar solution for
>>>>> both problems?
>>>>>
>>>>> An extension for certmonger? Oddjob? Or a completely new daemon?
>>>>>
>>>> Certmonger already has a way to:
>>>> 1) Check things periodically
>>>> 2) Hand certs in different places
>>>> 3) Run post op scripts
>>>>
>>>> IMO it is a good candidate but I would leave it to Nalin to chime in.
>>>>
>>>
>>> I would expect more things that require periodic checking on clients
>>> beyond certificates to come in the future, so I'm not sure if doing this
>>> in certmonger is the right thing to do. Also, SSSD already does a
>>> similar thing for realm domains, right?
>
> Are you suggesting extending SSSD to handle that?
Yes.
>
>>>
>>> Honza
>>>
>>
>> So, does anyone have any strong opinions on this?
>
> Not at this point. BTW, is there any reason why we cannot go the simple way and
> just utilize cron and a script? Previously we just dropped conf to /etc/cron.d
> for ipa-compliance script and it worked quite well.
Hmm, that's so simple it might just work. At least until there is a
better way.
>
> Martin
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list