[Freeipa-users] Heads-up: Removing self-sign CA

Petr Viktorin pviktori at redhat.com
Tue Mar 26 16:02:34 UTC 2013


Hello list,

FreeIPA's self-sign CA is a holdout from days where the our integration 
with a real CA wasn't that good. Also its name is confusing: the Dogtag 
CA also uses a self-signed certificate by default.
We will soon be introducing a way to install IPA with custom 
certificates without a CA at all. When that is merged, it will no longer 
be possible to install a self-sign server.

After that, the plan is to convert existing self-sign masters to CA-less 
on upgrade, and remove the self-sign code. On a CA-less master, IPA's 
cert commands will no longer be available and cert rotation will need to 
be done manually.
Documentation on how to do this (using the existing self-signed CA cert) 
will be provided.

-- 
Petr³




More information about the Freeipa-users mailing list