Petr Viktorin wrote:
These patches convert selfsign masters to CA-less on upgrade, and remove
all selfsign-related code
The files the CA uses are left around for admins to pick up cert
management manually. Instructions for that are provided in the design
document. They pretty much just document what the selfsign CA did.
Removing the automation may seem like a step backwards, but when the
steps are just a wiki page, the admins can adjust for their needs (e.g.
issue wildcart certs). For an automated solution we have Dogtag.
(Note that removing the --selfsign *option*, not functionality, has a
separate ticket and design doc.)
As I've been looking at this I'm having some reservations about this. It
is going to remove functionality from a running server. And once gone I
don't think one could easily get it back.
I guess I'd be fine deprecating it and no longer providing any support,
and strongly recommending that people move away from it, but dropping it
mid-release seems rather strict.
Freeipa-devel mailing list