Scott Reed via FreeIPA-users wrote:
Hi all,
I assumed that all certificates for FreeIPA were stored in the integrated DogTag server,
but someone said that the certificates stored for an individual account are stored in an
NSS database. Is this correct? It seems weird to me, but I just wanted to check.
It isn't that simple.
Dogtag as the CA contains all of the certificates it issued. It uses
LDAP as its backed. This contains only public keys.
For its own operational certificates it uses an NSS database. This only
contains the 5 or 6 certificates needed by the CA (ocsp cert, audit
cert, etc).
Beyond that the CA doesn't control were the private keys are stored (NSS
or flat file PEM for example).
In an current IPA server the storage format varies by server. Apache
uses PEM files, 389-ds uses an NSS database, the PKINIT certificate is
PEM and the RA agent (used to talk to the CA) is also a set of PEM files.
Is there a reason for the question or just curiosity?
rob