[CentOS] add CA to centos clients

Sun Feb 17 22:29:01 UTC 2013
Natxo Asenjo <natxo.asenjo at gmail.com>

On Sun, Feb 17, 2013 at 10:13 PM, John R Pierce <pierce at hogranch.com> wrote:
> On 2/17/2013 11:00 AM, Natxo Asenjo wrote:
>> I need to deploy an internal CA to our hosts.....
>
> you say a CA, then you talk about PKI, and finally LDAP which is a
> Directory Server.   these things are all interrelated, but remain three
> separate entities.

sure, still to use stuff all the apps need to have the right CA cert info.

> For a fullblown LDAP directory server, you might want to look at the 389
> project, http://port389.org/wiki/Main_Page ... this is available for
> CentOS6 via the EPEL repository.    389 started as a fork of the old
> Netscape Directory Server.
>
> 389 has been integrated with the "Dogtag" CA system as FreeIPA but I
> believe this is more focused towards being a Windows Active Directory
> replacement.

thanks, I think I did not express myself well enough.

We already have a ipa realm for our centos hosts and it indeed has a
built-in CA (dogtag).

The problem is we have other hosts *not* in the realm and they need to
use services with this internal CA. And they need to use them without
warnings about how unsafe this unknown CA is.

So for ldap clients, you drop the ca-cert in a directory and the ldap
tools do not complain. The same goes for java tools,
mozilla/thunderbird, chrome, ...

So the question is: where do you add the CA information in
centos/redhat servers for those kinds of applications?

-- 
natxo