Title: #3509: [Backport][ipa-4-7] Profile-based system cert renewal
Manual backport of #3316 to ipa-4-7. We
may need to backport this change all the way to ipa-4-6 to allow us to change
the IPA RA certificate profile on older releases.
See also https://github.com/freeipa/freeipa/pull/3508
which is the ipa-4-7 backport PR.
There were some trivial conflicts. There were substantive conflicts for two patches,
but these were due to the switch from mod_nss to mod_ssl, and from NSSDB-based
IPA RA cert to PEM files. Those patches were not relevant, and were dropped.
Do not rely on CI only; I will have to test this change myself so I'll add WIP
label, and remove it when I'm satisfied.
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3509/head:pr3509
git checkout pr3509