Disabling the default CA ACL can cause issues. Indeed, we want to avoid any situation where renewal of IPA system certs can fail due to administrator disabling a CA ACL.
Therefore, hard code the following rule in the cert_request command:
caIPAserviceCert
Tests should be written that disable CA ACLs and check that HTTP/ldap cert renewals work.
Also need to check how the KDC certificate fits into this picture.
Also need to check what happens during replica installation (e.g. what principal requests the certificates; does the above rule handle this scenario or is something more needed?)
Metadata Update from @ftweedal: - Assignee reset
Login to comment on this ticket.