[Freeipa-users] Client Certificate
Rob Crittenden
rcritten at redhat.com
Thu Sep 18 16:21:49 UTC 2014
Walid A. Shaari wrote:
> Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3
> clients?
Sure, the cert isn't used anyway but it isn't optional to have
certmonger try to get one.
If you really care you can run a command to tell certmonger to stop
tracking the cert though:
# ipa-getcert stop-tracking -d /etc/pki/nssdb -n 'IPA Machine
Certificate - client.example.com'
That doesn't remove the certificate from the database. If you want to do
that do:
# certutil -D -d /etc/pki/nssdb/ -n 'IPA Machine Certificate -
client.example.com'
And you might to revoke the cert. To do that you'd use ipa cert-revoke
<serial number>. You need pretty high privileges to do that though
(admin has them).
rob
>
> On 18 September 2014 17:43, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Walid A. Shaari wrote:
> > Hi,
> >
> > we are going to have a use case of diskless HPC clients that will use
> > the IPA for lookups, I was wondering if i can get rid of the
> > state-fulness of the client configuration as much as possible as it is
> > more of a cattle than pets use case. that is i do not need to know
> that
> > the client is part of the domain, no need to enroll a node with a
> > certificate. and services will be mostly hpc mpi and ssh, not required
> > to have an SSL certificate for secure communication. is it possible to
> > get rid of the client certificate and the requirements for clients to
> > enroll? or there are other uses for the certificate that i am not
> aware of ?
>
> Yes, you don't need to obtain a machine certificate. In fact we have
> stopped doing this upstream.
>
> rob
>
>
More information about the Freeipa-users
mailing list