This bug is created as a clone of upstream ticket:
Per discussion in #6220, add ca-enable and ca-disable commands.
The behaviour already exists in Dogtag; only needs to be exposed via IPA.
Note that ca-del must be updated to handle the case of target CA already
Currently, admins have no way to wholesale disable a CA, i.e. to
prevent it issuing new certificates with the possibility of
re-enabling it at a later time, and ensuring that certificates issued
by the CA can still be managed by FreeIPA.
There is currently no way to do this. A similar but limited
outcome can be achieved by removing the CA from all CA ACLs but this
has a variable - possibly very high - administrative overhead.
* c7e0dbc4e174d0bb7577de18cdb2f414f4199c57 Add ca-disable and ca-enable commands
* b037e54e457d731cd16144df7573f4c85d79368a Add ca-disable and ca-enable commands
Verified using IPA and PKI version ::
Marking BZ as verified. See attachment for console log.
Created attachment 1283632 [details]
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.