[Freeipa-devel] [PATCH] 1109 No client machine cert
Martin Kosek
mkosek at redhat.com
Fri Sep 5 08:43:55 UTC 2014
On 09/04/2014 05:13 PM, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> Hi,
>>
>> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a):
>>> No longer request and install a cert for the IPA client machine.
>>>
>>> rob
>>
>> The original plan was to keep generating the certificate, but in
>> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch).
>>
>> I'm fine with either approach.
>>
>
> The cert has never been used and is now actively causing issues in
> RHEL-7 with systemd and kickstart. It could be made optional, and move
> the location, but IMHO its time has come.
>
> rob
One change that Rob's patch also do is that from now on, certmonger would not
be enabled and running by default on client machines. It would only be enabled
on IPA server.
I am still not confident about the resolution to just stop generating the
certificate, I was leaning more towards making it optional + generating to
better database as Honza proposed.
Simo, Alexander, what is your take on this?
Thanks,
Martin
More information about the Freeipa-devel
mailing list