#3494 [RFE] Drop --selfsign server functionality
Closed: Fixed None Opened 6 years ago by mkosek.

In a future, we would like to support 2 flavors of certificate management in IPA:

  • IPA with pki-ca (dogtag) with either a self-signed certificate or with a certificate signed by external CA (--external-ca option)
  • IPA with no pki-ca installed with certificates signed and provided by an external CA:
    • Uses options like --dirsrv_pkcs12 or --http_pkcs12

Installation with --selfsign (selfsigned certificate managed in local NSS database on server) is rather troublesome and not even supported - it should be dropped.

Related ticket: #3363 (fixing --http_pkcs12 & friends). We should fix both at the same time.

Related ticket: #3360. We should make sure we cover it as well.

This also involves:

  • converting self-sign masters to CA-less on upgrade
  • documenting how to manually issue self-signed certificates (for new replicas and rotation of expired certs)

I've opened ticket https://fedorahosted.org/freeipa/ticket/3534 for removing the --selfsign option, making it impossible to install new selfsign masters. This one will track the converting and removal of functionality.

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)

2 years ago

Login to comment on this ticket.