Import profiles earlier during install

Currently, IPA certificate profile import happens at end of install.
Certificates issuance during the install process does work but uses
an un-customised caIPAserviceCert profile, resulting in incorrect
subject DNs and missing extensions.  Furthermore, the
caIPAserviceCert profile shipped with Dogtag will eventually be
removed.

Move the import of included certificate profiles to the end of the
cainstance deployment phase, prior to the issuance of DS and HTTP
certificates.

Part of: https://fedorahosted.org/freeipa/ticket/4002

Reviewed-By: Martin Basti <mbasti@redhat.com>

1 files changed, 0 insertions, 3 deletions

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 955e4cc11..999766d67 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -906,9 +906,6 @@ def install(options):
         service.print_msg("Restarting the certificate server")
         ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
 
-        service.print_msg("Importing certificate profiles")
-        cainstance.import_included_profiles()
-
     if options.setup_dns:
         api.Backend.ldap2.connect(autobind=True)
         dns.install(False, False, options)