URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

HonzaCholasta commented:
@stlaz, this seems to be a bug in kinit. When you have a certificate chain root 
CA -> intermediate CA -> KDC and want to trust the intermediate CA, but not the 
root CA, the validation will always fail. This is the case in external CA setup 
(the external CA is the root CA, IPA CA is the intermediate CA), but I haven't 
confirmed it without IPA yet.

Without this patchset, both the CA certificates are trusted, which is a bug, 
but makes kinit work.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to