In a CA-less install, commands like host-mod & service-del should warn when an old certificate is removed, because the admin needs to revoke it manually.
In the CA-less install how would the certs get into the host and service entry? If the system was a system that was able to create certs for hosts and services and now is converted to use external CA one would expect that all certs issued by the IPA CA would be revoked at that point. This is true regardless of whether IPA used selfsign CA or Dogtag selfsign CA or Dogtag based chained CA.
I am missing a use case here...
The user might set it themselves using host-mod or service-mod, for tracking for example.
As it stands in 3.1 (outside of any of Petr's other changes) then it is mandatory for a certificate to be revoked before we allow deleting a host/service to prevent orphaned, deleted certificates.
This will need to be relaxed, but we should still notify users that the certificate isn't being referenced within IPA any more, at least.
Utilize new method to return non-fatal data to clients: https://fedorahosted.org/freeipa/ticket/2732
Metadata Update from @pviktori: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.