Currently Dogtag stores blobs for the CSRs and the actual certificates in CS.cfg. Can we double-check if they are needed or anything and if not remove them from the file.
# grep "cert=" /etc/pki/pki-tomcat/ca/CS.cfg ca.audit_signing.cert=MIIDTj[...] # grep "certreq=" /etc/pki/pki-tomcat/ca/CS.cfg ca.audit_signing.certreq=MIICbj[...]
Some code[1] in PKI currently assumes the existence of these fields. They may well not be needed, but assumptions like those in [1] will have to be weakened.
https://www.redhat.com/archives/freeipa-users/2016-March/msg00000.html
This ticket is out of scope of 4.4.0 release. Moving to 4.4.1. Note that 4.4.1 needs to be triaged, therefore not everything will be implemented.
moving out tickets not implemented in 4.4.1
4.4.2 is a stabilization milestone. If this bug is important stabilization bug then please put it to NEEDS TRIAGE milestone for retriage.
Metadata Update from @tscherf: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.