[Freeipa-devel] [PATCH] 1109 No client machine cert
Rob Crittenden
rcritten at redhat.com
Fri Sep 5 13:15:24 UTC 2014
Alexander Bokovoy wrote:
> On Fri, 05 Sep 2014, Martin Kosek wrote:
>> On 09/04/2014 05:13 PM, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a):
>>>>> No longer request and install a cert for the IPA client machine.
>>>>>
>>>>> rob
>>>>
>>>> The original plan was to keep generating the certificate, but in
>>>> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch).
>>>>
>>>> I'm fine with either approach.
>>>>
>>>
>>> The cert has never been used and is now actively causing issues in
>>> RHEL-7 with systemd and kickstart. It could be made optional, and move
>>> the location, but IMHO its time has come.
>>>
>>> rob
>>
>> One change that Rob's patch also do is that from now on, certmonger
>> would not
>> be enabled and running by default on client machines. It would only be
>> enabled
>> on IPA server.
>>
>> I am still not confident about the resolution to just stop generating the
>> certificate, I was leaning more towards making it optional +
>> generating to
>> better database as Honza proposed.
>>
>> Simo, Alexander, what is your take on this?
> I'm fine with making it optional. However, on client machine upgrades do
> not stop and disable certmonger if it is tracking more than just the
> host certificate.
>
Well, that is unrelated to this change. Should that be a separate ticket?
rob
More information about the Freeipa-devel
mailing list