[Freeipa-devel] [RFE] CA certificate renewal
Martin Kosek
mkosek at redhat.com
Mon Oct 7 15:30:43 UTC 2013
On 10/04/2013 12:01 PM, Jan Cholasta wrote:
> Hi,
>
> you can find a draft of the design document for this feature at
> <http://www.freeipa.org/page/V3/CA_certificate_renewal>.
>
> Comments are welcome.
>
> Honza
>
1) Shared certificate store
Shouldn't we name the container as cn=cacerts,cn=ipa,cn=etc,suffix? It seems
that current design would allow storing certificates not only for IPA CA, but
also custom servers managed by IPA.
2) Distributing CA certificates to clients
So /etc/ipa/ca.crt would contain multiple certificates, even the whole
certificate chains? Will that fly for example when doing ldapsearch -ZZZ + have
TLS_CACERT pointing to /etc/ipa/ca.crt?
3) Implementation
I am not confident about the cron part. If you have 1000 client machines,
asking every hour for an update, that could create a lot of traffic. Maybe some
certmonger-like heuristics would be in place? Like test each week under normal
circumstances, test each day when a cert in /etc/ipa/ca.crt is about to expire.
I am also thinking how to randomize the cron schedule so that every client does
not run the check in the same moment - to split the load.
Martin
More information about the Freeipa-devel
mailing list