Domain level 0 does not support PKINIT. However, when we migrate to higher domain levels, we need to enable PKINIT in all configurations that support it (i.e. where we can issue certificates).
DL0 does not support PKINIT for multiple reasons:
historically DL0 did not have proper support for custom CA certificate profiles, only added them in FreeIPA 4.2
PKINIT certificate for KDC needs to have special extension or to be issued in the name of krbtgt/REALM@REALM principal. We did not support this in FreeIPA certificate issuance flow until version 4.5
* Even if you deploy FreeIPA 4.5 replica of older master (before v4.2), it does not guarantee that CA is runnign FreeIPA 4.5.
Metadata Update from @pvoborni:
- Custom field rhbz adjusted to todo
- Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
to comment on this ticket.