Title: #526: server install: properly handle PKINIT-related options
In CA-less mode one has to provide all the certs manually. I don't see why the
KDC cert should be an exception and why we should reinvent the wheel for it.
You can't use the local CA anyway, because it's not trusted by IPA. Even if you
made it trusted on the local system, it would not be trusted globally - to do
that you would have to either make every local CA on every server trusted
globally, which does not scale well and would most likely cause more issues
than solve, or provide a mechanism to synchronize the CA's private key between
servers, which is non-trivial and out of the scope of the PKINIT effort.
If you think it is a good idea to support the local CA in addition to Dogtag,
please file a RFE. Meanwhile, this PR fixes an obvious bug without implemeting
any additional features.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code