[Freeipa-users] Heads-up: Removing self-sign CA
Petr Viktorin
pviktori at redhat.com
Tue Mar 26 16:02:34 UTC 2013
Hello list,
FreeIPA's self-sign CA is a holdout from days where the our integration
with a real CA wasn't that good. Also its name is confusing: the Dogtag
CA also uses a self-signed certificate by default.
We will soon be introducing a way to install IPA with custom
certificates without a CA at all. When that is merged, it will no longer
be possible to install a self-sign server.
After that, the plan is to convert existing self-sign masters to CA-less
on upgrade, and remove the self-sign code. On a CA-less master, IPA's
cert commands will no longer be available and cert rotation will need to
be done manually.
Documentation on how to do this (using the existing self-signed CA cert)
will be provided.
--
Petr³
More information about the Freeipa-users
mailing list