On 06/12/2014 07:45 PM, Jan Cholasta wrote: ... > Note that automatic distribution of CA certificates to IPA systems is not > implemented yet (it's planned for IPA 4.2, see > <https://fedorahosted.org/freeipa/ticket/4322>), so /etc/ipa/ca.crt, > /etc/pki/nssdb, /etc/dirsrv/slapd-REALM and /etc/httpd/alias are updated > *only* > during client/server install. > > Honza
For 4.0, we will need to come up with manual procedure how to renew the certificates *without* reinstalling the client or server. I think the best way would be to prepare a simple script to renew client/server, something like /usr/share/ipa/ipa-renew-client-certificate /usr/share/ipa/ipa-renew-server-certificate and refer to it in the ipa-cacert-manage man page. People could then pretty easily run those after a cert change, using whatever means their infrastructure uses - puppet, ssh, ... Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
