This effort (phase 2 of CA certificate utility) is planned for FreeIPA 4.1.

Hi, is there more info on how the data that needs to be distributed will be stored and exposed on the server side? In particular, how final is the design from http://www.freeipa.org/page/V4/CA_certificate_renewal?

We've got a couple of certmonger feature tickets ([#29] and https://fedorahosted.org/certmonger/ticket/31 #31) which look like they might overlap the cases that this ticket is targeting.

I think we still have some time. Phase 1 is for 4.0 while phase 2 is planned for 4.1.
See the link [http://www.freeipa.org/page/V4/CA_certificate_renewal_%282%29]
It would make perfect sense to combine the efforts if possible.

The same mechanism will be used for DNSSEC key distribution as described in ticket #4462.

Processing 4.2 backlog. This ticket was found as something that is not a priority for the nearest releases.

But as usual, please feel free to discuss your use cases or contribute patches, to make that happen sooner!

As this blocks #5117 which causes that no replicas are created when an own certificate is used I'd consider this as important.

You can do this manually with ipa-certupdate, so this ticket does not in fact block anything.

I wasn't aware of this workaround. Tested and works fine. Thx.

Does this command (ipa-certupdate) have to be run on each and every client once the CA certificate has been renewed?

Yes, it should.

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.