[Freeipa-users] Are replica gpg files reusable?
Rob Crittenden
rcritten at redhat.com
Fri Apr 25 14:18:22 UTC 2014
Dmitri Pal wrote:
> On 04/25/2014 05:06 AM, Petr Spacek wrote:
>> On 25.4.2014 00:15, Dave Jones wrote:
>>> Hi Rob,
>>>
>>> I was considering installing replicas using puppet. Having
>>> pre-prepared replica files available would be easier than having to
>>> run an ipa-replica-prepare and scp copy.
>>>
>>> I had guessed the ldap/kerberos replication would handle the
>>> user/password/DNS updates, and that changing CA certificates would be
>>> the most likely cause of gpg file invalidation.
>>
>> I'm working on DNSSEC support in FreeIPA right now. It is possible
>> that replica-file validity will lowered by this work. (We will need to
>> distribute one new key as part of the replica file so the replica file
>> will become invalid if the key was changed in meantime. Maybe we will
>> find some other solution for it, I don't know ...)
>>
>
>
> May be the solution is to run a cron job on the server that would
> prepare a replica file and refresh it under source control every so often?
The downside is you could end up issuing a whole ton of certificates for
the same service, the majority of which aren't being used, and are
unrevoked.
rob
More information about the Freeipa-users
mailing list