In https://pagure.io/freeipa/issue/7141 we now only track HTTP/DS service certificate
if it was issued by the IPA CA.
The default behaviour is to issue these certificates from the IPA CA. So the current implementation
handles the default situation properly.
But if the certificate is issued by a sub-CA of the IPA CA (or other CA controlled by FreeIPA),
we do not track it. Should we?
Let us discuss.
I also think that we should track server certs issued by sub-CAs. This would affect
- the upgrade code (if server certs are issued by subCAs then they should also be tracked)
- the tool ipa-server-certinstall (used to replace HTTP and LDAP certificates), which currently does not track certificates if they are issued by sub-CAs
to comment on this ticket.