Custodia stores two keys for every FreeIPA server in cn=custodia,cn=ipa,cn=etc,$SUFFIX. One key key has CN=sig/$FQDN, the other key has CN=enc/$FQDN. The keys are created automatically during installation of a FreeIPA server. ipa-server-install --uninstall does not clean up and remove the keys with a server/replica is uninstalled.
/etc/ipa/custodia/custodia.conf and /etc/ipa/custodia/server.keys aren't removed either.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1353936 (Red Hat Enterprise Linux 7)
[PATCH 0032] Secure permission and cleanup Custodia server.keys
4.3.2 was released, moving to 4.3.3
Was agreed that this should not be backported to 4.3.x .
Metadata Update from @cheimes:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.4.1
to comment on this ticket.