David Copperfield wrote:
I think the problem is figured out, though solution is not easy. Would
some one please open a bug for this problem.

Another close question to ask: Does this means the IPA PKI/CA system is
still in its beta/alpha stage, and better avoid in production IPA
deployment?

I've see messages, Q/A in mail list of 389 Directory Server and freeIPA
much, much more often than the Dogtag. If so, I can use --selfsign to
install IPA masters and replicas now, and wait until the Dogtag is
mature enough. because this IPA solution is the core of our business
authentication and authorization, and so I have been asked several times
to make it reliable and easy to maintain. Otherwise the admin. official
would rather to keep existing Kerberos+OpenLDAP solution which is time
proven.

As Rich pointed out, there are per-instance specific versions of the scripts. This is related to the templates you saw in the rpm.

CAs are not sexy which may be why the dogtag list is low volume. I get the feeling that many people just get by with self-signed certificates that are managed by hand. There is a fair bit of discussion in the freenode #dogtag IRC channel from time to time.

There is no way to migrate from one CA type to another within IPA (without re-installing IPA).

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to