[CentOS] add CA to centos clients

Natxo Asenjo

natxo.asenjo at gmail.com
Sun Feb 17 19:00:37 UTC 2013


hi,

I need to deploy an internal CA to our hosts. Fedora is planning
something I could use now
http://fedoraproject.org/wiki/Features/SharedSystemCertificates but it
is not there yet ;-)

I already have a deploying infrastructure (cfengine), so my question
is: what files do I need to move around for a systemwide installation?

The obvious start point will be /etc/PKI/ but in there in a random
client I already see some problems:

ls -l /etc/pki/
total 28
drwxr-xr-x. 6 root root 4096 Aug 23 06:55 CA
drwxr-xr-x. 4 root root 4096 Mar 13  2012 dovecot
drwxr-xr-x. 2 root root 4096 Mar 11  2012 java
drwxr-xr-x. 2 root root 4096 Feb  8 10:46 nssdb
drwxr-xr-x. 2 root root 4096 Oct 25 23:06 rpm-gpg
drwx------. 2 root root 4096 Jun 22  2012 rsyslog
drwxr-xr-x. 5 root root 4096 Oct 25 23:07 tls

For ldap queries, I need to add it in /etc/openldap/certs and run
cacertdir_rehash.

But there are lots of other apps that have their own configuration.

I guess I am not the first to have to do this, but google found little
info about this. Have you guys gone through such a project and would
you care sharing your solutions?

Thanks!
--
Groeten,
natxo



More information about the CentOS mailing list