I am setting up FreeRADIUS on my "network server" at home, which also runs FreeIPA. Naturally, I would like to use certmonger to issue, track, and renew the certificate(s) used by FreeRADIUS.
Unfortunately, ipa-getcert only works when run as root, and it writes the certificate and key files as root/0600, leaving them unreadable by radiusd. I can obviously change the permissions of the files, but certmonger will presumably reset them when it renews the certificate.
I feel like I must be missing something obvious. certmonger must be usable with services that run as a non-root user, right?