[Freeipa-devel] [PATCHES] 0210-0213 Drop selfsign server functionality
Rob Crittenden
rcritten at redhat.com
Mon Apr 15 13:42:11 UTC 2013
Martin Kosek wrote:
> On 04/04/2013 09:14 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> Hello,
>>>
>>> These patches convert selfsign masters to CA-less on upgrade, and remove
>>> all selfsign-related code
>>>
>>> The files the CA uses are left around for admins to pick up cert
>>> management manually. Instructions for that are provided in the design
>>> document. They pretty much just document what the selfsign CA did.
>>> Removing the automation may seem like a step backwards, but when the
>>> steps are just a wiki page, the admins can adjust for their needs (e.g.
>>> issue wildcart certs). For an automated solution we have Dogtag.
>>>
>>> Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
>>> Ticket: https://fedorahosted.org/freeipa/ticket/3494
>>>
>>> (Note that removing the --selfsign *option*, not functionality, has a
>>> separate ticket and design doc.)
>>
>> As I've been looking at this I'm having some reservations about this. It is
>> going to remove functionality from a running server. And once gone I don't
>> think one could easily get it back.
>>
>> I guess I'd be fine deprecating it and no longer providing any support, and
>> strongly recommending that people move away from it, but dropping it
>> mid-release seems rather strict.
>>
>> rob
>
> I am thinking that keeping the nonfunctional selfsign code would rather create
> mess, I would personally tend to removing that in 3.2. As this patch also
> converts selfsign installations to CA-less, current selfsign installation would
> still work - except creating replicas where people would need to generate certs
> for the replica.
>
> I also did not see much resistance or concerns when Petr sent a Heads-up mail
> to freeipa-users (but of course, not every our user reads that).
> https://www.redhat.com/archives/freeipa-users/2013-March/msg00235.html
>
> Martin
>
You can also more easily issue server certs for services, and enrolled
clients get a server cert.
rob
More information about the Freeipa-devel
mailing list