[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options
HonzaCholasta
freeipa-github-notification at redhat.com
Wed Mar 1 12:50:45 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: properly handle PKINIT-related options
HonzaCholasta commented:
"""
In CA-less mode one has to provide all the certs manually. I don't see why the KDC cert should be an exception and why we should reinvent the wheel for it.
You can't use the local CA anyway, because it's not trusted by IPA. Even if you made it trusted on the local system, it would not be trusted globally - to do that you would have to either make every local CA on every server trusted globally, which does not scale well and would most likely cause more issues than solve, or provide a mechanism to synchronize the CA's private key between servers, which is non-trivial and out of the scope of the PKINIT effort.
If you think it is a good idea to support the local CA in addition to Dogtag, please file a RFE. Meanwhile, this PR fixes an obvious bug without implemeting any additional features.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283331589
More information about the Freeipa-devel
mailing list