It looks like, as far as I can tell, the IPA pki setup does not by default include subjectKeyIdentifier in the SSL certificates issued. I am using ipa-getcert -f foo -k bar, to generate and submit the request.
I am a little hazy about how all of this fits together at this point, so please forgive me. However, it looks like the RFC states that the CA SHOULD be included with all end certificates: https://www.ietf.org/rfc/rfc3280.txt (Page 27). So it is fine that it is not included, but is there a way to modify IPA so that it does? I assume this is all part of dogtag and it's operations, and it looks like from my research it should be possible in dogtag, but how IPA and dogtag work together etc. well I just don't know enough. Environment: RHEL 6.2 ipa-client-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-2.1.3-9.el6.x86_64 ipa-admintools-2.1.3-9.el6.x86_64 certmonger-0.50-3.el6.x86_64 -Erinn
Description: OpenPGP digital signature