David Copperfield wrote:
I think the problem is figured out, though solution is not easy. Would
some one please open a bug for this problem.
Another close question to ask: Does this means the IPA PKI/CA system is
still in its beta/alpha stage, and better avoid in production IPA
I've see messages, Q/A in mail list of 389 Directory Server and freeIPA
much, much more often than the Dogtag. If so, I can use --selfsign to
install IPA masters and replicas now, and wait until the Dogtag is
mature enough. because this IPA solution is the core of our business
authentication and authorization, and so I have been asked several times
to make it reliable and easy to maintain. Otherwise the admin. official
would rather to keep existing Kerberos+OpenLDAP solution which is time
As Rich pointed out, there are per-instance specific versions of the
scripts. This is related to the templates you saw in the rpm.
CAs are not sexy which may be why the dogtag list is low volume. I get
the feeling that many people just get by with self-signed certificates
that are managed by hand. There is a fair bit of discussion in the
freenode #dogtag IRC channel from time to time.
There is no way to migrate from one CA type to another within IPA
(without re-installing IPA).
Freeipa-users mailing list