I updated the Sub-CAs design page with more detail for the key
replication. This part of the design is nearly complete (a large
patchset is in review over at pki-devel@) but there are various
options about how to authenticate to Custodia.
In brief, the options are:
1) authenticate as host principal; install binary setuid
root:pkiuser to read host keytab and custodia keys.
2) authenticate as host principal; copy host keytab and custodia
keys to location readable by pkiuser.
3) create new principal for pkiuser to use, along with custodia keys
and keytab in location readable by pkiuser.
I prefer option (1) for reasons outlined in the design page. The
design page goes into quite a bit more detail so please review the
section linked above and get back to me with your thoughts.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code