Current git master still creates a cert db under /etc/ipa/nssdb, which apparently is left unused.
The client installation on non-master clients will put a host certificate there if requested. By default in current FreeIPA we don't issue host certificate anymore.
I think the code to issue certificate needs to be changed to use normal pem files and the whole /etc/ipa/nssdb support can be removed.
It may be better to simply drop the ability to get a cert on enrollment. Otherwise this could cause problems with those currently using the feature as new clients would be configured differently than old ones.
A --cert-storage option could be provided but that just bloats the options and adds more complexity around cert retrieval.
+1 for @rcritten proposal.
Should we deprecate the feature in 4.7 and remove in 4.8?
Alexander, Rob, and I discussed the topic today. We agreed to deprecate the option in 4.7 but keep it in the code for the future. I'm not going to add an option to migrate the NSSDB to PEM files or request PEM files until there is a feature request.
master:
ipa-4-7:
Login to comment on this ticket.