SCIENTIFIC-LINUX-USERS Archives

February 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: deploy CA to clients
From:
Nico Kadel-Garcia <[log in to unmask]>
Reply To:
Nico Kadel-Garcia <[log in to unmask]>
Date:
Tue, 19 Feb 2013 13:29:57 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (29 lines) 
On Tue, Feb 19, 2013 at 1:13 PM, Natxo Asenjo <[log in to unmask]> wrote:
> On Tue, Feb 19, 2013 at 3:19 PM, Nico Kadel-Garcia <[log in to unmask]> wrote:
>
>> SSL certicificates are associated with specific applications, so
>> there's no surprise here. Also,some of the contents in /etc/pki are
>> for GPG keys, not SSL certificates (such as /etc/pki/rpm-gpg). And
>> others are for applications that probably don't need this unless
>> you're going to a lot of work, such as "/etc/pki/dovecot". And some
>> are the root certificates for  Mozilla designated upstream signature
>> authorities, such as /etc/pki/java/cacerts and /etc/pki/tls/cacerts/*
>>
>> Unfortunately, each application handles the certificicates
>> individually, so you really have to deal on an application by
>> application basis with these.
>>
>> Which *application* are you using IPA for ? Just Kerberos
>> authentication, or full account management, or what?
>
> the total package, including soon a cross realm trust with an AD infrastructure.
>
> I am starting to think that maybe a wildcard certificate might just be
> easier and cheaper ...

Yeah, I'm a bit concerned about IPA. It sounds like a great idea to
integrate and harden those services, but I've done Kerberos and LDAP
migrations. With Samba 4 out and working, I'm not sure there's a big
market for it. And I definitely expect Samba 4 to work with SL 7. (I'm
writing rebundling SRPM's for Samba 4.0.3 on SL 6 right now.....)

ATOM RSS1 RSS2