hi, I need to deploy an internal CA to our hosts. Fedora is planning something I could use now http://fedoraproject.org/wiki/Features/SharedSystemCertificates but it is not there yet ;-) I already have a deploying infrastructure (cfengine), so my question is: what files do I need to move around for a systemwide installation? The obvious start point will be /etc/PKI/ but in there in a random client I already see some problems: ls -l /etc/pki/ total 28 drwxr-xr-x. 6 root root 4096 Aug 23 06:55 CA drwxr-xr-x. 4 root root 4096 Mar 13 2012 dovecot drwxr-xr-x. 2 root root 4096 Mar 11 2012 java drwxr-xr-x. 2 root root 4096 Feb 8 10:46 nssdb drwxr-xr-x. 2 root root 4096 Oct 25 23:06 rpm-gpg drwx------. 2 root root 4096 Jun 22 2012 rsyslog drwxr-xr-x. 5 root root 4096 Oct 25 23:07 tls For ldap queries, I need to add it in /etc/openldap/certs and run cacertdir_rehash. But there are lots of other apps that have their own configuration. I guess I am not the first to have to do this, but google found little info about this. Have you guys gone through such a project and would you care sharing your solutions? Thanks! -- Groeten, natxo
On 2/17/2013 11:00 AM, Natxo Asenjo wrote:> I need to deploy an internal CA to our hosts.....you say a CA, then you talk about PKI, and finally LDAP which is a Directory Server. these things are all interrelated, but remain three separate entities. For a fullblown LDAP directory server, you might want to look at the 389 project, http://port389.org/wiki/Main_Page ... this is available for CentOS6 via the EPEL repository. 389 started as a fork of the old Netscape Directory Server. 389 has been integrated with the "Dogtag" CA system as FreeIPA but I believe this is more focused towards being a Windows Active Directory replacement. -- john r pierce 37N 122W somewhere on the middle of the left coast
On Sun, Feb 17, 2013 at 10:13 PM, John R Pierce <pierce at hogranch.com> wrote:> On 2/17/2013 11:00 AM, Natxo Asenjo wrote: >> I need to deploy an internal CA to our hosts..... > > you say a CA, then you talk about PKI, and finally LDAP which is a > Directory Server. these things are all interrelated, but remain three > separate entities.sure, still to use stuff all the apps need to have the right CA cert info.> For a fullblown LDAP directory server, you might want to look at the 389 > project, http://port389.org/wiki/Main_Page ... this is available for > CentOS6 via the EPEL repository. 389 started as a fork of the old > Netscape Directory Server. > > 389 has been integrated with the "Dogtag" CA system as FreeIPA but I > believe this is more focused towards being a Windows Active Directory > replacement.thanks, I think I did not express myself well enough. We already have a ipa realm for our centos hosts and it indeed has a built-in CA (dogtag). The problem is we have other hosts *not* in the realm and they need to use services with this internal CA. And they need to use them without warnings about how unsafe this unknown CA is. So for ldap clients, you drop the ca-cert in a directory and the ldap tools do not complain. The same goes for java tools, mozilla/thunderbird, chrome, ... So the question is: where do you add the CA information in centos/redhat servers for those kinds of applications? -- natxo