[Freeipa-devel] [PATCH] 1109 No client machine cert
Simo Sorce
ssorce at redhat.com
Fri Sep 5 12:49:13 UTC 2014
On Fri, 2014-09-05 at 10:43 +0200, Martin Kosek wrote:
> On 09/04/2014 05:13 PM, Rob Crittenden wrote:
> > Jan Cholasta wrote:
> >> Hi,
> >>
> >> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a):
> >>> No longer request and install a cert for the IPA client machine.
> >>>
> >>> rob
> >>
> >> The original plan was to keep generating the certificate, but in
> >> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch).
> >>
> >> I'm fine with either approach.
> >>
> >
> > The cert has never been used and is now actively causing issues in
> > RHEL-7 with systemd and kickstart. It could be made optional, and move
> > the location, but IMHO its time has come.
> >
> > rob
>
> One change that Rob's patch also do is that from now on, certmonger would not
> be enabled and running by default on client machines. It would only be enabled
> on IPA server.
>
> I am still not confident about the resolution to just stop generating the
> certificate, I was leaning more towards making it optional + generating to
> better database as Honza proposed.
>
> Simo, Alexander, what is your take on this?
I'm with Rob, do not eanble and fetch certs we are not going to sue,
this will also make the list of certs in the server more relevant.
Simo.
More information about the Freeipa-devel
mailing list