Title: #526: server install: properly handle PKINIT-related options
An idea behind the original solution was to always produce PKINIT certificate
by certmonger in case of CA-less install to be able to have anonymous PKINIT
supported. PKINIT cert should have specific attributes and in many cases they
aren't issued by external CAs. However, the certificate is not really needed to
be connected to existing CAs.
Admins can re-issue PKINIT cert afterwards but at least we can get anonymous
PKINIT to wrap 2FA with.
So this pull request actually breaks CA-less deployment.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code