On 03/28/2013 09:10 AM, Christian Horn wrote:

On Tue, Mar 26, 2013 at 05:02:34PM +0100, Petr Viktorin wrote:

We will soon be introducing a way to install IPA with custom
certificates without a CA at all. When that is merged, it will no
longer be possible to install a self-sign server.

I see that the change in functionality is in line with generic
unix principles, linux distros have already tools to create and
manage own, self signed CA's.

To clarify: this is about removing the --selfsign option to ipa-server-install, which installs a limited CA (for example, it doesn't support CA replication or cert-find).

The default Dogtag CA also uses a self-signed certificate, but it's not affected by this change.

The naming confusion is a small part of the reason why it's better to remove --selfsign.

Yet from what I understand, this change will make all test setups
more complicated.
One has then by oneself to deploy an own CA (i.e. with the openssl
tools) and have it sign the IPA cert.

Use the default Dogtag CA for test setups. It will still use a self-signed CA certificate by default.


Freeipa-users mailing list

Reply via email to