mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
7995518921
The latest version of caIPAserviceCert profile includes a feature that is not available before Dogtag 10.4, and this version of the profile is intended for new installs only (otherwise, problems will arise in topologies containing CA replicas at an earlier version). But IPA versions before v4.2 did not use LDAP-based profiles, so the new version of the profile gets imported when upgrading from pre-v4.2 to v4.5 or later. We do not yet have a proper version- and topology-aware profile update mechanism, so to resolve this issue, ship the older version of the profile alongside the newer version, and make sure we use the older version when importing the profile in an upgrade context. https://pagure.io/freeipa/issue/7097 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> |
||
---|---|---|
.. | ||
caIPAserviceCert.cfg | ||
caIPAserviceCert.UPGRADE.cfg | ||
IECUserRoles.cfg | ||
KDCs_PKINIT_Certs.cfg | ||
Makefile.am | ||
README |
This directory contains profile TEMPLATES for certificate profiles included in FreeIPA. Do not import these files or modifications thereof - it is likely that Dogtag will accept the configuration, but certificate issuance will fail with the updated configuration. At best, it will not give you the certificates you want. If you want to modify a profile configuration or create a new profile based on an existing profile configuration, you should export the current profile configuration with the command: ipa certprofile-show --out FILENAME PROFILE_NAME After modifying the configuration, update the profile configuration: ipa certprofile-mod --file FILENAME PROFILE_NAME Or if you are creating a new profile: ipa certprofile-import --desc DESC --store 1 \ --file FILENAME NEW_PROFILE_NAME