On Tue, Feb 19, 2013 at 7:35 AM, Natxo Asenjo <[log in to unmask]> wrote:
> hi,
>
> I posted this question to the centos list but I have not had a lot of
> feedback, so allow me to ask it here as well.
>
> I need to deploy an internal CA to our hosts. The CA is up and running
> as a part of an IPA infrastructure. Not all linux hosts (mainly redhat
> based) are or will be part of the kerberos realm.
>
> Fedora is planning something I could use now
> http://fedoraproject.org/wiki/Features/SharedSystemCertificates but it
> is not there yet ;-)
>
> I already have a deploying infrastructure (cfengine), so my question
> is: what files do I need to move around for a systemwide installation?
>
> The obvious start point will be /etc/PKI/ but in there in a random
> client I already see some problems:
>
> ls -l /etc/pki/
> total 28
> drwxr-xr-x. 6 root root 4096 Aug 23 06:55 CA
> drwxr-xr-x. 4 root root 4096 Mar 13  2012 dovecot
> drwxr-xr-x. 2 root root 4096 Mar 11  2012 java
> drwxr-xr-x. 2 root root 4096 Feb  8 10:46 nssdb
> drwxr-xr-x. 2 root root 4096 Oct 25 23:06 rpm-gpg
> drwx------. 2 root root 4096 Jun 22  2012 rsyslog
> drwxr-xr-x. 5 root root 4096 Oct 25 23:07 tls
>
> For ldap queries, I need to add it in /etc/openldap/certs and run
> cacertdir_rehash.

SSL certicificates are associated with specific applications, so
there's no surprise here. Also,some of the contents in /etc/pki are
for GPG keys, not SSL certificates (such as /etc/pki/rpm-gpg). And
others are for applications that probably don't need this unless
you're going to a lot of work, such as "/etc/pki/dovecot". And some
are the root certificates for  Mozilla designated upstream signature
authorities, such as /etc/pki/java/cacerts and /etc/pki/tls/cacerts/*

Unfortunately, each application handles the certificicates
individually, so you really have to deal on an application by
application basis with these.

Which *application* are you using IPA for ? Just Kerberos
authentication, or full account management, or what?