Subject: | |
From: | |
Reply To: | |
Date: | Tue, 19 Feb 2013 13:35:02 +0100 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
hi,
I posted this question to the centos list but I have not had a lot of
feedback, so allow me to ask it here as well.
I need to deploy an internal CA to our hosts. The CA is up and running
as a part of an IPA infrastructure. Not all linux hosts (mainly redhat
based) are or will be part of the kerberos realm.
Fedora is planning something I could use now
http://fedoraproject.org/wiki/Features/SharedSystemCertificates but it
is not there yet ;-)
I already have a deploying infrastructure (cfengine), so my question
is: what files do I need to move around for a systemwide installation?
The obvious start point will be /etc/PKI/ but in there in a random
client I already see some problems:
ls -l /etc/pki/
total 28
drwxr-xr-x. 6 root root 4096 Aug 23 06:55 CA
drwxr-xr-x. 4 root root 4096 Mar 13 2012 dovecot
drwxr-xr-x. 2 root root 4096 Mar 11 2012 java
drwxr-xr-x. 2 root root 4096 Feb 8 10:46 nssdb
drwxr-xr-x. 2 root root 4096 Oct 25 23:06 rpm-gpg
drwx------. 2 root root 4096 Jun 22 2012 rsyslog
drwxr-xr-x. 5 root root 4096 Oct 25 23:07 tls
For ldap queries, I need to add it in /etc/openldap/certs and run
cacertdir_rehash.
But there are lots of other apps that have their own configuration.
I guess I am not the first to have to do this, but google found little
info about this. Have you guys gone through such a project and would
you care sharing your solutions?
Thanks!
--
Groeten,
natxo
|
|
|