[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
HonzaCholasta
freeipa-github-notification at redhat.com
Tue May 16 05:35:31 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT
HonzaCholasta commented:
"""
@stlaz, this seems to be a bug in kinit. When you have a certificate chain root CA -> intermediate CA -> KDC and want to trust the intermediate CA, but not the root CA, the validation will always fail. This is the case in external CA setup (the external CA is the root CA, IPA CA is the intermediate CA), but I haven't confirmed it without IPA yet.
Without this patchset, both the CA certificates are trusted, which is a bug, but makes kinit work.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301680152
More information about the Freeipa-devel
mailing list