You lose nothing with --no-pkinit because you add certificate authority and enable pkinit later. But seems it's a relatively new option, we installed our prod instance back in 2016 and it didn't ask for --no-pkinit at all. I found it yesterday. Our main instance is running with pkinit disabled and it do all we want for us. I started to play with pkinit just yesterday.
[root@auth ~]# ipa-ca-install Directory Manager (existing master) password: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: reindex attributes ... [28/29]: adding 'ipa' CA entry [29/29]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@auth ~]# ipa-pkinit-manage status PKINIT is disabled The ipa-pkinit-manage command was successful [root@auth ~]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). [root@auth ~]# ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful On Fri, Mar 13, 2020 at 7:23 PM Peter Tselios via FreeIPA-users < [email protected]> wrote: > That's promising. > So, now I need to ask something else. > > What are the implications of the --no-pkinit? > What do I loose? > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
