On Mon, 2007-11-26 at 15:27 -0700, Stephen John Smoogen wrote: > On Nov 26, 2007 3:09 PM, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > > > > > > > > > > If the hostname is changing randomly there's not going to be a way to > > contact the host via func, anyway. So that use case is kinda moot. Think > > of it the same way as having a webserver which is randomly changing it's > > ip address and hostname. You're sol on consistently contacting the > > webserver and you'll know for damned sure the ssl certs won't match. :) > > > > > > Ah I had been wondering about 'provisioning/maintaining' student > desktops which are on first come first serve with the dhcp servers. > Not a scenario for this though. > > The other case shows up where stupid DNS is run as dynamic dns with > admins who say things like "let you choose your name on this lan." > > > If another box submits the same csr for lshark.bar.org as the certmaster > > got originally it will hand it back the proper cert. If the csr is NOT > > the same then it will belch out an error and tell the asking box to go > > die. > > > > does that make sense? > > > > Yes.. oh what happens if a box sends various certs before the sysadmin > approves them. Say the old, rebuild the box.. ah crap wrong > partitions.. rebuild the box.. what you want oracle on it now, > repartition.. rebuild the box... > you need to clean out the old certs/csrs with certmaster-ca -c -sv
