Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1200731

master:

• bc0c606 Add CA ACL plugin
• 947af1a Enforce CA ACLs in cert-request command

The feature development was not finished before GA, so we will need to postpone it to next feature release.

4.4 priority

master:

• fa149cf Remove service and host cert issuer validation

master:

• f94ccca Allow CustodiaClient to be used by arbitrary principals

master:

• b584ffa Add ACIs for Dogtag custodia client
• 0d37d23 Optionally add service name to Custodia key DNs
• b0d9a47 Setup lightweight CA key retrieval on install/upgrade
• 903a90f Authorise CA Agent to manage lightweight CAs
• 4660bb7 Add custodia store for lightweight CA key replication

master:

• 3d4db83 Add 'ca' plugin
• 7d86995 Add IPA CA entry on install / upgrade
• 9c93015 Update 'caacl' plugin to support lightweight CAs
• 0b0c078 Add CA argument to ra.request_certificate
• ae6d5b7 Update cert-request to allow specifying CA
• 08e0aa2 Add issuer options to cert-show and cert-find
• f0915e6 replica-install: configure key retriever before starting Dogtag

master:

• b59e822 Require Dogtag >= 10.3.3

master:

• 47d33f3 Fix IssuerDN presence check in cert search result

master:

• f0b1e37 ipaldap: turn LDAP filter utility functions into class methods
• 67f13c8 Skip CS.cfg update if cert nickname not known
• b720aa9 Update lightweight CA serial after renewal
• 0078e7a ipa-certupdate: track lightweight CA certificates

Core is implemented. 4.4.0 was tagged therefore closing this as fixed.

A new ticket should be opened for any missing part or a regression.

tests fixed in 4.4.1:

master:

• ea9b15f ipatests: Tracker implementation for Sub CA feature
• 5b37aaa ipatests: Extend CAACL suite to cover Sub CA members
• d88a12f ipatests: Test Sub CA with CAACL and certificate profile
• 0277a89 ipatests: remove ipacertbase option from test CSR configuration