Ticket #2930 will put CA cert into the LDAP. However for CA cert expiration case and related CA key rotation every once in a while we need to have a way to publish more than one root CA cert for clients to fetch. The client side should detect that a new cert is published and pull it so that the CA cert can be rotated without client downtime.
A corresponding ticket needs to be opened against SSSD or certmonger to do the client side polling. Right now we pull it just once during the ipa-client-install.
There was another RFE that would call for a generic mechanism to pass some policies from server to client but I could not find it in either SSSD or IPA trac.
Related ticket: #3737.
Reassigning to jcholast, as agreed with him.
Moving to current 3.4 month cycle.
3.4 development was shifted for one month, moving tickets to reflect reality better.
Related is that things that pull the CA certificate need to pull all values. ipa-client-install does not appear to do this, in EL 5 in any case.
Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.
Adding to list of tickets required for 4.0 release.
There is not enough time to review and test this feature properly for 4.0. Moving to 4.1.
Closed with #3737, see there for the commit list.
master:
ipa-4-1:
Metadata Update from @dpal: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.