URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options
abbra commented: """ An idea behind the original solution was to always produce PKINIT certificate by certmonger in case of CA-less install to be able to have anonymous PKINIT supported. PKINIT cert should have specific attributes and in many cases they aren't issued by external CAs. However, the certificate is not really needed to be connected to existing CAs. Admins can re-issue PKINIT cert afterwards but at least we can get anonymous PKINIT to wrap 2FA with. So this pull request actually breaks CA-less deployment. """ See the full comment at https://github.com/freeipa/freeipa/pull/526#issuecomment-283322805
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
