URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: do not attempt to issue PKINIT cert in CA-less

abbra commented:
ACK for the patch. However, I'm not claiming that CA does not need to be 
trusted. What I'm saying is that for Anonymous PKINIT's use in privilege 
separation code we can issue certs using local CA because we can trust local CA 
on IPA masters. They would be all different local CAs, of course, but this was 
thought to be a stop-gap until admins can replace local certificates with the 
proper ones some time after upgrade.

Privilege separation code now supports several ways to kinit and falls back to 
a wrapping with HTTP/ipa.master credentials in case anonymous PKINIT is not 


See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to