Bump pki min version and add commentary about sub-CA revocation on delete

freeipa.spec.in

@@ -161,8 +161,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.3.3-3
-Requires: pki-kra >= 10.3.3-3
+Requires: pki-ca >= 10.3.5-6
+Requires: pki-kra >= 10.3.5-6
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: zip

ipaserver/plugins/ca.py

@@ -14,33 +14,38 @@
 
 __doc__ = _("""
 Manage Certificate Authorities
-
+""") + _("""
 Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance
 of X.509 certificates.
-
+""") + _("""
 CAs are enabled on creation, but their use is subject to CA ACLs unless the
 operator has permission to bypass CA ACLs.
-
+""") + _("""
 All CAs except the 'IPA' CA can be disabled or re-enabled.  Disabling a CA
 prevents it from issuing certificates but does not affect the validity of its
 certificate.
-
-
+""") + _("""
+CAs (all except the 'IPA' CA) can be deleted.  Deleting a CA causes its signing
+certificate to be revoked and its private key deleted.
+""") + _("""
 EXAMPLES:
-
+""") + _("""
   Create new CA, subordinate to the IPA CA.
 
     ipa ca-add puppet --desc "Puppet" \\
         --subject "CN=Puppet CA,O=EXAMPLE.COM"
-
+""") + _("""
   Disable a CA.
 
     ipa ca-disable puppet
-
+""") + _("""
   Re-enable a CA.
 
     ipa ca-enable puppet
+""") + _("""
+  Delete a CA.
 
+    ipa ca-del puppet
 """)