[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options
abbra
freeipa-github-notification at redhat.com
Wed Mar 1 12:03:19 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: properly handle PKINIT-related options
abbra commented:
"""
An idea behind the original solution was to always produce PKINIT certificate by certmonger in case of CA-less install to be able to have anonymous PKINIT supported. PKINIT cert should have specific attributes and in many cases they aren't issued by external CAs. However, the certificate is not really needed to be connected to existing CAs.
Admins can re-issue PKINIT cert afterwards but at least we can get anonymous PKINIT to wrap 2FA with.
So this pull request actually breaks CA-less deployment.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283322805
More information about the Freeipa-devel
mailing list