Remove obsolete self-sign references from man pages, docstrings, comments

Part of the work for https://fedorahosted.org/freeipa/ticket/3494

BUILD.txt

@@ -92,6 +92,3 @@ IPA is not relocatable.
 
 When building rpms the version contains the GIT id in the version. To prevent
 this pass the argument IPA_VERSION_IS_GIT_SNAPSHOT=yes to make.
-
-If you don't need a full CA during testing then using the self-signed CA
-(pass --selfsign to ipa-server-install) takes less time to install.

install/tools/man/ipa-replica-conncheck.1

@@ -57,7 +57,7 @@ Remote replica machine address
 .SS "COMMON OPTIONS"
 .TP
 \fB\-c\fR, \fB\-\-check\-ca\fR
-Include in a check also a set of dogtag connection requirements. When a replica is self\-sign this option is not needed.
+Include in a check also a set of dogtag connection requirements. Only needed when the master was installed with Dogtag 9 or lower.
 .TP
 \fB\-h\fR \fIHOSTNAME\fR, \fB\-\-hostname\fR=\fIHOSTNAME\fR
 The hostname of this server (FQDN). By default a nodename from uname(2) is used

ipa-client/man/default.conf.5

@@ -152,7 +152,7 @@ Specifies the mount point that the development server will register. The default
 Specifies that all options should be prompted for in the IPA client, even optional values. Default is False.
 .TP
 .B ra_plugin <name>
-Specifies the name of the CA back end to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA back end is only set up during initial installation.
+Specifies the name of the CA back end to use. The current options are \fBdogtag\fR and \fBnone\fR. This is a server\-side setting. Changing this value is not recommended as the CA back end is only set up during initial installation.
 .TP
 .B realm <realm>
 Specifies the Kerberos realm.

ipalib/plugins/cert.py

@@ -50,9 +50,8 @@ Implements a set of commands for managing server SSL certificates.
 Certificate requests exist in the form of a Certificate Signing Request (CSR)
 in PEM format.
 
-If using the selfsign back end then the subject in the CSR needs to match
-the subject configured in the server. The dogtag CA uses just the CN
-value of the CSR and forces the rest of the subject.
+The dogtag CA uses just the CN value of the CSR and forces the rest of the
+subject to values configured in the server.
 
 A certificate is stored with a service principal and a service principal
 needs a host.

ipaserver/install/cainstance.py

@@ -469,7 +469,6 @@ def stop_tracking_certificates(dogtag_constants):
 
 class CAInstance(service.Service):
     """
-    In the self-signed case the CA exists in the NSS_DB database.
     When using a dogtag CA the DS database contains just the
     server cert for DS. The mod_nss database will contain the RA agent
     cert that will be used to do authenticated requests against dogtag.
@@ -1697,7 +1696,7 @@ def replica_ca_install_check(config, master_ds_port):
 
     cafile = config.dir + "/cacert.p12"
     if not ipautil.file_exists(cafile):
-        # self-signed replica
+        # Replica of old "self-signed" master - CA won't be installed
         return
 
     master_ds_port = int(master_ds_port)
@@ -1759,7 +1758,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
     cafile = config.dir + "/cacert.p12"
 
     if not ipautil.file_exists(cafile):
-        # self-signed replica
+        # Replica of old "self-signed" master - skip installing CA
         return (None, None)
 
     if not config.setup_ca:

tests/test_xmlrpc/test_cert_plugin.py

@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
-Test the `ipalib/plugins/cert.py` module against the selfsign plugin.
+Test the `ipalib/plugins/cert.py` module against a RA.
 """
 
 import sys
@@ -57,7 +57,7 @@ def is_db_configured():
 # To test against Apache directly then no changes are required. Just be
 # sure the xmlrpc_uri in ~/.ipa/default.conf points to Apache.
 #
-# To test against a selfsign or dogtag CA in the lite-server:
+# To test against Dogtag CA in the lite-server:
 #
 # - Copy the 3 NSS db files from /etc/httpd/alias to ~/.ipa/alias
 # - Copy /etc/httpd/alias/pwdfile.txt to  ~/.ipa/alias/.pwd.