[Freeipa-users] yet another certificate question

Natxo Asenjo natxo.asenjo at gmail.com
Thu Oct 9 13:03:19 UTC 2014


On Thu, Oct 9, 2014 at 2:33 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
> hi,
>
> if during the enrollment of a host a host certificate is created, then
> this will be a nssdb type certificate.
>
> However, lots of applications use file certificates and we can very
> easily create one of those (even using configuration management
> tools):
>
> /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
> --fqdn`.crt -k /etc/pki/tls/private/`hostname --fqdn`.key
>
> getcert list will see both, but in the ipa web interface in the host
> information only the last one will be shown.

well, replying to mysel, the attribute userCertificate appears to be
single valued. So that must be why.

So what happens with the other certificate in the nssdb directory? Can
I just stop tracking it locally? Or do I have to stop tracking it
because it will try to auto renew when it expires, and that will block
the file certificate?

Tips welcome!

-- 
groet,
natxo




More information about the Freeipa-users mailing list