#6802 When upgrading from DL0 to DL1 configure PKINIT on all masters
Opened 2 years ago by abbra. Modified 2 years ago

Domain level 0 does not support PKINIT. However, when we migrate to higher domain levels, we need to enable PKINIT in all configurations that support it (i.e. where we can issue certificates).

DL0 does not support PKINIT for multiple reasons:
historically DL0 did not have proper support for custom CA certificate profiles, only added them in FreeIPA 4.2
PKINIT certificate for KDC needs to have special extension or to be issued in the name of krbtgt/REALM@REALM principal. We did not support this in FreeIPA certificate issuance flow until version 4.5
* Even if you deploy FreeIPA 4.5 replica of older master (before v4.2), it does not guarantee that CA is runnign FreeIPA 4.5.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to todo
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.