[Freeipa-devel] Multiple CA certificates in LDAP, questions

Tue Oct 1 19:57:13 UTC 2013

----- Original Message -----
> On 13.9.2013 11:05, Jan Cholasta wrote:
> > On 13.9.2013 10:53, Martin Kosek wrote:
> >> On 09/13/2013 10:51 AM, Jan Cholasta wrote:
> >>> On 5.9.2013 10:28, Jan Cholasta wrote:
> >>>> On 3.9.2013 18:16, Dmitri Pal wrote:
> >>>>> On 09/02/2013 04:49 AM, Petr Spacek wrote:
> >>>>>> It reminds me problems with key-rotation for DNSSEC.
> >>>>>>
> >>>>>> Could we find common problems and use the same/similar solution for
> >>>>>> both problems?
> >>>>>>
> >>>>>> An extension for certmonger? Oddjob? Or a completely new daemon?
> >>>>>>
> >>>>> Certmonger already has a way to:
> >>>>> 1) Check things periodically
> >>>>> 2) Hand certs in different places
> >>>>> 3) Run post op scripts
> >>>>>
> >>>>> IMO it is a good candidate but I would leave it to Nalin to chime in.
> >>>>>
> >>>>
> >>>> I would expect more things that require periodic checking on clients
> >>>> beyond certificates to come in the future, so I'm not sure if doing
> >>>> this
> >>>> in certmonger is the right thing to do. Also, SSSD already does a
> >>>> similar thing for realm domains, right?
> >>
> >> Are you suggesting extending SSSD to handle that?
> >
> > Yes.
> >
> >>
> >>>>
> >>>> Honza
> >>>>
> >>>
> >>> So, does anyone have any strong opinions on this?
> >>
> >> Not at this point. BTW, is there any reason why we cannot go the
> >> simple way and
> >> just utilize cron and a script? Previously we just dropped conf to
> >> /etc/cron.d
> >> for ipa-compliance script and it worked quite well.
> >
> > Hmm, that's so simple it might just work. At least until there is a
> > better way.
> 
> I have been thinking about this for some time now and came up with this
> solution:
> 
> Write a library implementing the PKCS#11 API (Cryptoki), which would
> provide the shared CA certificates and associated information
> (nicknames, trust flags). The library would get the certificates from
> SSSD, which in turn would get them from IPA (and do the usual stuff like
> caching).
> 
> This library could then be used by IPA NSS databases as a source of
> trust information for IPA services (see modutil). It could also be used
> by p11-glue to provide the trust information to the rest of the system.
> 
> Pros:
>    * Automatic support for getting trust information stored in IPA in
> all the applications that understand PKCS#11.
>    * Certificates are fetched from IPA on-demand, not periodically like
> in the previous solutions.
> 
> Cons:
>    * Complexity of implementation? (I don't know about this one, I
> briefly looked at the source code of the p11-kit PKCS#11 module and it
> looked manageable to me.)
> 
> Does this sound reasonable?

Sounds reasonable to me, however I assume you will do some caching, both to avoid lenghty waits and to handle offline cases, so I'd like to know more how/when you are going to use the caches vs fetching the cert chains from the server.

Simo.

-- 
Simo Sorce * Red Hat, Inc. * New York