URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: properly handle PKINIT-related options
HonzaCholasta commented:
"""
The local CA is in fact not used in CA-less upgrade. This is what you get after
upgrade from 4.4.3 to current master:
```
# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20170301142723':
status: CA_UNREACHABLE
ca-error: Server at
https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will
retry: 4001 (RPC failed at server. CA is not configured).
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
# ls /var/kerberos/krb5kdc/kdc.crt
ls: cannot access '/var/kerberos/krb5kdc/kdc.crt': No such file or directory
```
Additionally, there is no mention of using the local CA to issue the cert in
CA-less in any of the following designs:
* http://www.freeipa.org/page/V4/External_Authentication
* http://www.freeipa.org/page/V4/Kerberos_PKINIT
In other words, using the local CA is something a) not designed properly b) not
implemented at all.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/526#issuecomment-283355431
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
