Skip to content

Certmonger

Jump to bottom
Endi S. Dewata edited this page Mar 8, 2023 · 8 revisions

Helpers

dogtag-ipa-ca-renew-agent on master

  • used for renewing CA system certs (signing, OCSP, subsystem, audit)

  • calls http://<hostname>:8080/ca/ee/ca

  • authenticated using IPA RA agent cert (ipaCert)

  • stores renewed cert under ca=ca_renewal,cn=ipa,cn=etc,<base DN>

dogtag-ipa-ca-renew-agent on replica

  • gets renewed cert from ca=ca_renewal,cn=ipa,cn=etc,<base DN>

ipa

  • used for renewing SSL cert

  • calls https://<hostname>/ipa/xml

  • authenticated using host keytab (/etc/krb5.keytab)

  • IPA forwards the request to PKI

See Also

Clone this wiki locally