URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options
HonzaCholasta commented: """ The local CA is in fact not used in CA-less upgrade. This is what you get after upgrade from 4.4.3 to current master: ``` # getcert list Number of certificates and requests being tracked: 1. Request ID '20170301142723': status: CA_UNREACHABLE ca-error: Server at https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. CA is not configured). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes # ls /var/kerberos/krb5kdc/kdc.crt ls: cannot access '/var/kerberos/krb5kdc/kdc.crt': No such file or directory ``` Additionally, there is no mention of using the local CA to issue the cert in CA-less in any of the following designs: * http://www.freeipa.org/page/V4/External_Authentication * http://www.freeipa.org/page/V4/Kerberos_PKINIT In other words, using the local CA is something a) not designed properly b) not implemented at all. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283355431
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code