[Freeipa-devel] [RFE] CA certificate renewal
Jan Cholasta
jcholast at redhat.com
Mon Oct 7 16:28:12 UTC 2013
On 7.10.2013 17:30, Martin Kosek wrote:
> On 10/04/2013 12:01 PM, Jan Cholasta wrote:
>> Hi,
>>
>> you can find a draft of the design document for this feature at
>> <http://www.freeipa.org/page/V3/CA_certificate_renewal>.
>>
>> Comments are welcome.
>>
>> Honza
>>
>
> 1) Shared certificate store
>
> Shouldn't we name the container as cn=cacerts,cn=ipa,cn=etc,suffix? It seems
> that current design would allow storing certificates not only for IPA CA, but
> also custom servers managed by IPA.
The store is basically a NSS database in LDAP, so theoretically you
could store any cert in there, but IPA will understand only CA
certificates (at least for now).
>
>
> 2) Distributing CA certificates to clients
>
> So /etc/ipa/ca.crt would contain multiple certificates, even the whole
> certificate chains? Will that fly for example when doing ldapsearch -ZZZ + have
> TLS_CACERT pointing to /etc/ipa/ca.crt?
libldap understands CA PEM bundles, so this will fly.
>
>
> 3) Implementation
>
> I am not confident about the cron part. If you have 1000 client machines,
> asking every hour for an update, that could create a lot of traffic. Maybe some
> certmonger-like heuristics would be in place? Like test each week under normal
> circumstances, test each day when a cert in /etc/ipa/ca.crt is about to expire.
>
> I am also thinking how to randomize the cron schedule so that every client does
> not run the check in the same moment - to split the load.
The script is run hourly for sufficiently small time granularity, but
that doesn't mean it will contact the server every time it is run. Some
heuristics and randomization will definitely be in place.
>
> Martin
>
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list