diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2009-11-03 09:35:19 -0500 |
|---|---|---|
| committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-11-03 09:04:05 -0700 |
| commit | bd619adb5c1cfcd9e72c18896aded82e2ab33faa (patch) | |
| tree | 749d6ef90707772a5146d03c6bc78ef59a5f664c /install/conf | |
| parent | e4c119ed4b05fe600377360e697483bd59000b37 (diff) | |
| download | freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.tar.gz freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.tar.xz freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.zip | |
Use a new mechanism for delegating certificate issuance.
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.
In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service
It might look something like:
admin
ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin
client
ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
Diffstat (limited to 'install/conf')
0 files changed, 0 insertions, 0 deletions