FreeIPA's self-sign CA is a holdout from days where the our integration
with a real CA wasn't that good. Also its name is confusing: the Dogtag
CA also uses a self-signed certificate by default.
We will soon be introducing a way to install IPA with custom
certificates without a CA at all. When that is merged, it will no longer
be possible to install a self-sign server.
After that, the plan is to convert existing self-sign masters to CA-less
on upgrade, and remove the self-sign code. On a CA-less master, IPA's
cert commands will no longer be available and cert rotation will need to
be done manually.
Documentation on how to do this (using the existing self-signed CA cert)
will be provided.
Freeipa-users mailing list