hi,

I posted this question to the centos list but I have not had a lot of
feedback, so allow me to ask it here as well.

I need to deploy an internal CA to our hosts. The CA is up and running
as a part of an IPA infrastructure. Not all linux hosts (mainly redhat
based) are or will be part of the kerberos realm.

Fedora is planning something I could use now
http://fedoraproject.org/wiki/Features/SharedSystemCertificates but it
is not there yet ;-)

I already have a deploying infrastructure (cfengine), so my question
is: what files do I need to move around for a systemwide installation?

The obvious start point will be /etc/PKI/ but in there in a random
client I already see some problems:

ls -l /etc/pki/
total 28
drwxr-xr-x. 6 root root 4096 Aug 23 06:55 CA
drwxr-xr-x. 4 root root 4096 Mar 13  2012 dovecot
drwxr-xr-x. 2 root root 4096 Mar 11  2012 java
drwxr-xr-x. 2 root root 4096 Feb  8 10:46 nssdb
drwxr-xr-x. 2 root root 4096 Oct 25 23:06 rpm-gpg
drwx------. 2 root root 4096 Jun 22  2012 rsyslog
drwxr-xr-x. 5 root root 4096 Oct 25 23:07 tls

For ldap queries, I need to add it in /etc/openldap/certs and run
cacertdir_rehash.

But there are lots of other apps that have their own configuration.

I guess I am not the first to have to do this, but google found little
info about this. Have you guys gone through such a project and would
you care sharing your solutions?

Thanks!
--
Groeten,
natxo