hi, On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden <[email protected]> wrote:
> Natxo Asenjo wrote: > > hi, > > > > On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > > > Yes, you don't need to obtain a machine certificate. In fact we have > > stopped doing this upstream. > > > > > > Do you mean ipa will not have a CA in the future? Or will it be > > optional? Or am I misunderstanding this :-) ? I quite like the CA stuff > > in ipa, actually. > > > > No, don't worry, the CA isn't going anywhere :-) > > On the client right now we retrieve a certificate for host identity and > store it in /etc/pki/nssdb. We did this for future proofing and here we > are, pretty far in the future, and we've never used it. So we decided to > stop generating it. > > If on the off chance it turns out we're wrong and someone has actually > found a use for that certificate it can be quite easily generated using > ipa-getcert after the client is enrolled. > > ok. I was thinking on starting a pilot with dot1.x and hosts certificates are usually used for this, so it would be nice to have a cli switch during enrollment. -- groet, natxo -- -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
