Title: #694: RFC: implement local PKINIT deployment in server/replica install
I agree that it is internal detail whether we use local pkinit or not. However,
we need to know that it is existing as oposed to not existing at all for older
systems where we are going to perform upgrades. However, as you can derive this
information by presence or lack of actual KDC certificate file in the file
system during upgrade, this can be reduced, indeed.
One more detail: we already have pkinit plugin (`ipaserver/plugins/pkinit.py`)
which has `ipa pkinit-anonymous enable/disable` command. This command cannot
now be used because even for 'local' case we require anonymous PKINIT to be
usable and this means we cannot disable the principal.
Perhaps, you can remove this command and add instead `ipa pkinit-status`
command to show the status? It would show list of KDCs and their status.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code