Title: #526: server install: properly handle PKINIT-related options
This PR does not handle upgrade case which is what Local CA considers. We don't
need other systems trust the certificate and we don't need to synchronize
anything because KDC cert in upgrade case is issued automatically and is used
by privilege separation code on the same machine.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code