Title: #62: Configure Anonymous PKINIT on server install
> As a side question is the separate profile needed due to some custom
> extensions required for PKINIT certificate?
yes, we don't want to allow everyone to issue certificates with PKINIT
extensions, they only should be done for KDC cert.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code