Walid A. Shaari wrote: > Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3 > clients?
Sure, the cert isn't used anyway but it isn't optional to have certmonger try to get one. If you really care you can run a command to tell certmonger to stop tracking the cert though: # ipa-getcert stop-tracking -d /etc/pki/nssdb -n 'IPA Machine Certificate - client.example.com' That doesn't remove the certificate from the database. If you want to do that do: # certutil -D -d /etc/pki/nssdb/ -n 'IPA Machine Certificate - client.example.com' And you might to revoke the cert. To do that you'd use ipa cert-revoke <serial number>. You need pretty high privileges to do that though (admin has them). rob > > On 18 September 2014 17:43, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Walid A. Shaari wrote: > > Hi, > > > > we are going to have a use case of diskless HPC clients that will use > > the IPA for lookups, I was wondering if i can get rid of the > > state-fulness of the client configuration as much as possible as it is > > more of a cattle than pets use case. that is i do not need to know > that > > the client is part of the domain, no need to enroll a node with a > > certificate. and services will be mostly hpc mpi and ssh, not required > > to have an SSL certificate for secure communication. is it possible to > > get rid of the client certificate and the requirements for clients to > > enroll? or there are other uses for the certificate that i am not > aware of ? > > Yes, you don't need to obtain a machine certificate. In fact we have > stopped doing this upstream. > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
