There is a general goal to reduce reliance on a specific PKI API. This gives flexibility to the PKI team to change their API without breaking us and breaks us free from supporting both the XML and JSON APIs.
This specific request will not solve all uses of the API.
In https://pagure.io/freeipa/issue/9704 we add a cert_approve workflow so certmonger can renew CA subsystem certificates using IPA directly.
Currently the RA, DS, HTTP and KDC certificates are requested directly from the PKI XML API by certmonger during installation.
Use the PKI-provided cli tool pki instead to do these requests instead of certmonger.
The CA generates an admin certificate in /root/ca-admin.p12. We basically don't use this post-installation. This can be used to authenticate to the PKI API to issue the IPA RA certificate. Then we can use that to obtain the DS, HTTP and KDC certificates.
We will need an openssl configuration file to generate the same type of CSR that certmonger currently does, which includes a UPN, encodes the profile, etc.
Once a single CA server is available then we no longer need the admin certificate. We'll need to test and verify that going from CA-less to CA-ful is still possible, particuarly if the ca-admin.p12 cert has expired.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://issues.redhat.com/browse/FREEIPA-11726
master:
Log in to comment on this ticket.