#5238 [RFE] Improve UX of importing CA cert for non-ipa clients
Opened 3 years ago by dpal. Modified 2 years ago

Improve UX of importing CA cert for non-ipa client so that user would avoid:

When one configures the browser he needs to first grant an exception to trust a specific cert and then needs to configure his browser to trust the CA. But once the CA is trusted the exception is not needed any more so it should probably be removed as a part of the browser configuration.

Triage discussion

  • mkosek: this means Firefox would need to have JavaScript API to remove permanently stored certificate
  • mkosek: I also do not think it is possible - I would close as invalid
  • Note: this is for hosts that are not IPA clients. IPA client adds CA cert to the system store which is used also by Firefox.
  • DP: worried about FreeIPA/Ipsilon demo, being tested from non-IPA client
  • ab: we should add some warning to the documentation
  • ab: there is also a trend that browser developer will deprecate http
  • ab: maybe we should add a link at the end of the installation to the unsecure version of the new IP server, explaining what happens from now. It can and should mention the exception certificate experience.
  • pvoborni: we can also improve the page about browser configuration

Changing the ticket description based on the discussion above.

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

2 years ago

Login to comment on this ticket.