Hi, On Tue, Jul 18, 2023 at 7:33 AM Harald Dunkel via FreeIPA-users < [email protected]> wrote:
> Hi folks, > > getcert list-cas returns on some FreeIPA clients > > root@nasl006a:~# getcert list-cas > CA 'SelfSign': > is-default: no > ca-type: INTERNAL:SELF > next-serial-number: 01 > CA 'IPA': > is-default: no > ca-type: EXTERNAL > helper-location: /usr/lib/certmonger/ipa-submit > CA 'certmaster': > is-default: no > ca-type: EXTERNAL > helper-location: /usr/lib/certmonger/certmaster-submit > CA 'dogtag-ipa-renew-agent': > is-default: no > ca-type: EXTERNAL > helper-location: > /usr/lib/certmonger/dogtag-ipa-renew-agent-submit > CA 'local': > is-default: no > ca-type: EXTERNAL > helper-location: /usr/lib/certmonger/local-submit > > certmaster-submit doesn't exist, but there are others not included > in this list: > > # find /usr/lib/certmonger -name \*-submit > /usr/lib/certmonger/dogtag-ipa-renew-agent-submit > /usr/lib/certmonger/scep-submit > /usr/lib/certmonger/local-submit > /usr/lib/certmonger/ipa-submit > /usr/lib/certmonger/dogtag-submit > > Is this something to be worried about? FreeIPA is version 4.9.8-1~bpo11+1 > from the Debian backports repository. > > Your list looks good to me. FreeIPA installs only a subset of CA helpers on clients. Some of the CA helpers are relevant only on servers/replicas with a CA role (for instance dogtag-ipa-ca-renew-agent is used to renew the certificates used by the Certificate Server itself). scep-submit is used if a SCEP server has been configured with *getcert add-scep-ca *(see Requesting a CA-signed Certificate Through SCEP [1]). dogtag-submit is used to request certificates to a Dogtag certificate server, outside of IPA, or is called internally during the early installation of a FreeIPA server. flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/certmonger-scep > Regards > > Harri > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
