[Freeipa-devel] [RFE] Drop --selfsign
Petr Viktorin
pviktori at redhat.com
Wed Mar 20 16:11:10 UTC 2013
Here is a RFE for https://fedorahosted.org/freeipa/ticket/3494.
It's for dropping the --selfsign option from ipa-server-install. The
functionality itself stays in for now (on upgraded self-signed masters).
http://freeipa.org/page/V3/Drop_selfsign
--
Petr³
__NOTOC__
= Overview =
Ticket [https://fedorahosted.org/freeipa/ticket/3352 3352] Drop
--selfsign server functionality:
In a future, we would like to support 2 flavors of certificate
management in IPA:
* IPA with pki-ca (dogtag) with either a self-signed certificate or with
a certificate signed by external CA (--external-ca option)
* IPA with no pki-ca installed with certificates signed and provided by
an external CA.
Installation with --selfsign (selfsigned certificate managed in local NSS
database on server) is rather troublesome and not even supported - it should
be dropped.
= Use Cases =
# User tries passing the --selfsign option to ipa-server-install.
# The install fails as there is no such option.
# User upgrades a server that uses the self-signed CA
# The CA continues to work normally
= Design=
The --selfsign option to ipa-server-install will be removed.
Existing self-signed CAs should continue working for now, but the
functionality
is untested, and may be removed entirely in the near future.
= Implementation =
No additional requirements or changes discovered during the
implementation phase.
= Feature Managment =
N/A
= Major configuration options and enablement =
N/A
= Replication =
No impact, self-signed CAs are incapable of replication
= Updates and Upgrades =
Self-signed CAs should continue to work after upgrading to the new version.
As before, they are neither tested nor supported.
= Dependencies =
N/A
= External Impact =
QE will need to drop tests for the self-signed CA, if they have any.
Documentation may need updating.
More information about the Freeipa-devel
mailing list