Title: #758: install: fix CA-less PKINIT
@stlaz, this seems to be a bug in kinit. When you have a certificate chain root
CA -> intermediate CA -> KDC and want to trust the intermediate CA, but not the
root CA, the validation will always fail. This is the case in external CA setup
(the external CA is the root CA, IPA CA is the intermediate CA), but I haven't
confirmed it without IPA yet.
Without this patchset, both the CA certificates are trusted, which is a bug,
but makes kinit work.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code