This is something that we need to revisit when the CS and IPA start sharing same DS instance. 

 https://bugzilla.redhat.com/show_bug.cgi?id=750529 

Description of problem:
After CS replication is removed, replica can see a new host is issued a cert,
but doesn't have a copy of it, and throws a serial number error.

In response to a test case to do this, Rob's response:
I wonder if we should doc this. What is happening is the host is
replicating through a different channel, so we can see it. Because the
CS replication was removed we can see that the host has been issued a
valid certificate from our CA but our local install doesn't have a copy
of it, hence the serial # error.

This and a few others point out some pretty scary problems related to
certificate replication, this isn't something people should take lightly.

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-6.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1.Install master, replica
2.Install CS server on replica
3.Delete the replication agreement, and the data from replica
# ipa-csreplica-manage del ipa-replica1.testrelm -p XXX
4. Add a host, add cert to a host from master
5. Check settings for this host from replica

Actual results:
Error that host?s cert cannot be found:
Certificate operation cannot be completed: EXCEPTION (Certificate serial number
0x2d not found)

Expected results:
if this is doc'd, the user will know to check CS replication, and be prepared.