URL: https://github.com/freeipa/freeipa/pull/774 Title: #774: Deprecate pkinit-anonymous command abbra commented: """ Just remove the command completely. FreeIPA prior to 4.5 never supported PKINIT operations and never allowed using anonymous PKINIT. Disabling/enabling it was left for admins that knew what they wanted. However, with FreeIPA 4.5 we require anonymous PKINIT to be enabled all time -- be it with a local self-signed cert or with some other certificate issued by a proper CA. An anonymous principal can only be used to create a FAST channel, nothing else. """ See the full comment at https://github.com/freeipa/freeipa/pull/774#issuecomment-303363619