Hello list,

FreeIPA's self-sign CA is a holdout from days where the our integration with a real CA wasn't that good. Also its name is confusing: the Dogtag CA also uses a self-signed certificate by default. We will soon be introducing a way to install IPA with custom certificates without a CA at all. When that is merged, it will no longer be possible to install a self-sign server.

After that, the plan is to convert existing self-sign masters to CA-less on upgrade, and remove the self-sign code. On a CA-less master, IPA's cert commands will no longer be available and cert rotation will need to be done manually. Documentation on how to do this (using the existing self-signed CA cert) will be provided.


Freeipa-users mailing list

Reply via email to