Rob Crittenden bd619adb5c Use a new mechanism for delegating certificate issuance. ... Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com		2009-11-03 09:04:05 -07:00
..
conf	Add mod_python adapter and some UI tuning	2009-10-27 21:38:13 -06:00
html	Get merged tree into an installalble state.	2009-02-03 15:29:20 -05:00
share	Use a new mechanism for delegating certificate issuance.	2009-11-03 09:04:05 -07:00
tools	Auto-detect whether dogtag needs to be uninstalled	2009-10-21 11:14:28 -04:00
updates	First pass at enforcing certificates be requested from same host	2009-10-21 03:22:44 -06:00
configure.ac	Get merged tree into an installalble state.	2009-02-03 15:29:20 -05:00
Makefile.am	Get merged tree into an installalble state.	2009-02-03 15:29:20 -05:00