[Freeipa-devel] [PATCHES] 0210-0213 Drop selfsign server functionality
Rob Crittenden
rcritten at redhat.com
Thu Apr 4 19:14:29 UTC 2013
Petr Viktorin wrote:
> Hello,
>
> These patches convert selfsign masters to CA-less on upgrade, and remove
> all selfsign-related code
>
> The files the CA uses are left around for admins to pick up cert
> management manually. Instructions for that are provided in the design
> document. They pretty much just document what the selfsign CA did.
> Removing the automation may seem like a step backwards, but when the
> steps are just a wiki page, the admins can adjust for their needs (e.g.
> issue wildcart certs). For an automated solution we have Dogtag.
>
> Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
> Ticket: https://fedorahosted.org/freeipa/ticket/3494
>
> (Note that removing the --selfsign *option*, not functionality, has a
> separate ticket and design doc.)
As I've been looking at this I'm having some reservations about this. It
is going to remove functionality from a running server. And once gone I
don't think one could easily get it back.
I guess I'd be fine deprecating it and no longer providing any support,
and strongly recommending that people move away from it, but dropping it
mid-release seems rather strict.
rob
More information about the Freeipa-devel
mailing list