Natxo Asenjo wrote: > On Thu, Oct 9, 2014 at 2:33 PM, Natxo Asenjo <[email protected]> wrote: >> hi, >> >> if during the enrollment of a host a host certificate is created, then >> this will be a nssdb type certificate. >> >> However, lots of applications use file certificates and we can very >> easily create one of those (even using configuration management >> tools): >> >> /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname >> --fqdn`.crt -k /etc/pki/tls/private/`hostname --fqdn`.key >> >> getcert list will see both, but in the ipa web interface in the host >> information only the last one will be shown. > > well, replying to mysel, the attribute userCertificate appears to be > single valued. So that must be why. > > So what happens with the other certificate in the nssdb directory? Can > I just stop tracking it locally? Or do I have to stop tracking it > because it will try to auto renew when it expires, and that will block > the file certificate?
I was going to wait a bit as you've seem to be doing a great job answering your own questions in this thread :-) As you've discovered, it's one cert per service (or host). What you aren't seeing is that when you request another cert for the same service any existing certificate is revoked. If/when you start using OCSP or CRLs you'll see it big time. I think renewal will work ok for both but the last one would "win" and all others would end up being marked as revoked. So yeah, you should stop tracking it. I suspect that unless the renewal happened simultaneously both would end up renewed, but one would be revoked (last one wins). You may want to look into per-service certificates using the -K <principal> option to ipa-getcert. This will require pre-creating the services in IPA to store the certificate but otherwise it will function the same way. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
