[Freeipa-users] Understanding role of the certificate in client - server communication.
Rob Crittenden
rcritten at redhat.com
Tue Mar 18 22:24:26 UTC 2014
Genadi Postrilko wrote:
> Hello all.
> I'm trying to understand the use of the certificates in the
> communication between an IPA client and server.
> The documentation describes the retrieval of CA certificate while client
> setup:
> "Retrieve the CA certificate for the IdM CA"
>
> And retrieval of SSL server certificate:
> "Enable certmonger, retrieve an SSL server certificate, and install the
> certificate in |/etc/pki/nssdb"|
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/setting-up-clients.html#what-happens-clients
>
> From my understanding the authentication in IPA environment is kerberos
> based, therefore the client and server share a "secret" that allows the
> user to authenticate himself to the server and vice versa.
> Where comes the need for certificate? Some of the IPA server services
> are not kerberized?
Kerberos over HTTP requires SSL which is why the CA is retrieved and
installed.
We don't currently use the machine certificate. This was for
future-proofing.
rob
More information about the Freeipa-users
mailing list