Title: #694: RFC: implement local PKINIT deployment in server/replica install
We can query that PKINIT was not configured at all by a) checking the presence
of KDC keypair, b) checking the sysupgrade (no presence of pkinit flag implies
no configuration is present), and c) querying LDAP (no presence of
ipaConfigString) so we have multiple redundant ways to determine that PKINIT is
not configured at all.
As for the removal of pkinit status, I intend to replace the existing command
by `ipa pkinit-status` as a follow-up PR once this one is merged.
I will then update the design page to reflect this discussion and update the
implementation in this PR.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code