[Freeipa-users] Heads-up: Removing self-sign CA
Petr Viktorin
pviktori at redhat.com
Thu Mar 28 08:32:36 UTC 2013
On 03/28/2013 09:10 AM, Christian Horn wrote:
> Hi,
>
> On Tue, Mar 26, 2013 at 05:02:34PM +0100, Petr Viktorin wrote:
>>
>> We will soon be introducing a way to install IPA with custom
>> certificates without a CA at all. When that is merged, it will no
>> longer be possible to install a self-sign server.
>
> I see that the change in functionality is in line with generic
> unix principles, linux distros have already tools to create and
> manage own, self signed CA's.
To clarify: this is about removing the --selfsign option to
ipa-server-install, which installs a limited CA (for example, it doesn't
support CA replication or cert-find).
The default Dogtag CA also uses a self-signed certificate, but it's not
affected by this change.
The naming confusion is a small part of the reason why it's better to
remove --selfsign.
> Yet from what I understand, this change will make all test setups
> more complicated.
> One has then by oneself to deploy an own CA (i.e. with the openssl
> tools) and have it sign the IPA cert.
Use the default Dogtag CA for test setups. It will still use a
self-signed CA certificate by default.
--
Petr³
More information about the Freeipa-users
mailing list