URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: properly handle PKINIT-related options

abbra commented:
An idea behind the original solution was to always produce PKINIT certificate 
by certmonger in case of CA-less install to be able to have anonymous PKINIT 
supported. PKINIT cert should have specific attributes and in many cases they 
aren't issued by external CAs. However, the certificate is not really needed to 
be connected to existing CAs.

Admins can re-issue PKINIT cert afterwards but at least we can get anonymous 
PKINIT to wrap 2FA with.

So this pull request actually breaks CA-less deployment.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to