Hi team, I updated the Sub-CAs design page with more detail for the key replication. This part of the design is nearly complete (a large patchset is in review over at pki-devel@) but there are various options about how to authenticate to Custodia.
 http://www.freeipa.org/page/V4/Sub-CAs#Key_replication In brief, the options are: 1) authenticate as host principal; install binary setuid root:pkiuser to read host keytab and custodia keys. 2) authenticate as host principal; copy host keytab and custodia keys to location readable by pkiuser. 3) create new principal for pkiuser to use, along with custodia keys and keytab in location readable by pkiuser. I prefer option (1) for reasons outlined in the design page. The design page goes into quite a bit more detail so please review the section linked above and get back to me with your thoughts. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code