URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: properly handle PKINIT-related options

HonzaCholasta commented:
In CA-less mode one has to provide all the certs manually. I don't see why the 
KDC cert should be an exception and why we should reinvent the wheel for it.

You can't use the local CA anyway, because it's not trusted by IPA. Even if you 
made it trusted on the local system, it would not be trusted globally - to do 
that you would have to either make every local CA on every server trusted 
globally, which does not scale well and would most likely cause more issues 
than solve, or provide a mechanism to synchronize the CA's private key between 
servers, which is non-trivial and out of the scope of the PKINIT effort.

If you think it is a good idea to support the local CA in addition to Dogtag, 
please file a RFE. Meanwhile, this PR fixes an obvious bug without implemeting 
any additional features.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to