Issue #6802: When upgrading from DL0 to DL1 configure PKINIT on all masters - freeipa

freeipa

#6802 When upgrading from DL0 to DL1 configure PKINIT on all masters

Opened 7 years ago by abbra. Modified 5 years ago

Domain level 0 does not support PKINIT. However, when we migrate to higher domain levels, we need to enable PKINIT in all configurations that support it (i.e. where we can issue certificates).

DL0 does not support PKINIT for multiple reasons:
historically DL0 did not have proper support for custom CA certificate profiles, only added them in FreeIPA 4.2
PKINIT certificate for KDC needs to have special extension or to be issued in the name of krbtgt/REALM@REALM principal. We did not support this in FreeIPA certificate issuance flow until version 4.5
* Even if you deploy FreeIPA 4.5 replica of older master (before v4.2), it does not guarantee that CA is runnign FreeIPA 4.5.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to todo
- Issue set to the milestone: FreeIPA 4.7

7 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

5 years ago

rcritten commented 5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

FreeIPA 4.7.1

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

todo

tester

None

changelog

None

design

None

freeipa

Source Code

#6802 When upgrading from DL0 to DL1 configure PKINIT on all masters Opened 7 years ago by abbra. Modified 5 years ago

Close issue as:

Metadata

#6802 When upgrading from DL0 to DL1 configure PKINIT on all masters

Opened 7 years ago by abbra. Modified 5 years ago