Martin Kosek wrote:
On 04/04/2013 09:14 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
Hello,

These patches convert selfsign masters to CA-less on upgrade, and remove
all selfsign-related code

The files the CA uses are left around for admins to pick up cert
management manually. Instructions for that are provided in the design
document. They pretty much just document what the selfsign CA did.
Removing the automation may seem like a step backwards, but when the
steps are just a wiki page, the admins can adjust for their needs (e.g.
issue wildcart certs). For an automated solution we have Dogtag.

Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
Ticket: https://fedorahosted.org/freeipa/ticket/3494

(Note that removing the --selfsign *option*, not functionality, has a
separate ticket and design doc.)

As I've been looking at this I'm having some reservations about this. It is
going to remove functionality from a running server. And once gone I don't
think one could easily get it back.

I guess I'd be fine deprecating it and no longer providing any support, and
strongly recommending that people move away from it, but dropping it
mid-release seems rather strict.

rob

I am thinking that keeping the nonfunctional selfsign code would rather create
mess, I would personally tend to removing that in 3.2. As this patch also
converts selfsign installations to CA-less, current selfsign installation would
still work - except creating replicas where people would need to generate certs
for the replica.

I also did not see much resistance or concerns when Petr sent a Heads-up mail
to freeipa-users (but of course, not every our user reads that).
https://www.redhat.com/archives/freeipa-users/2013-March/msg00235.html

Martin


You can also more easily issue server certs for services, and enrolled clients get a server cert.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to