[Freeipa-devel] [RFE] CA certificate renewal
Rob Crittenden
rcritten at redhat.com
Mon Oct 7 17:16:28 UTC 2013
Jan Cholasta wrote:
> Hi,
>
> you can find a draft of the design document for this feature at
> <http://www.freeipa.org/page/V3/CA_certificate_renewal>.
>
> Comments are welcome.
>
> Honza
>
Shared certificate store.
DM should not be required. It may be required initially, but we have a
long-term goal of removing the need to be DM to perform operations. Note
that this would only probably be practical in a single-389-ds install.
Does readable by everyone include anonymous? I think it does but
probably best to spell it out.
Automatic renewal of IPA CA certificate.
certmonger currently has no notification capabilities. How will anyone
know that the renewal has failed unless they happen to run getcert list?
Unfortunately I don't really have an answer. An MTA is looking more and
more necessary.
What certmonger CA backend will be used for renewing an external CA?
Perhaps that can be used as some sort of notification via syslog?
Are you sure you can change the signing chain, essentially on-the-fly? I
imagine that the math will work ok but I don't know if changing the
issuer is valid.
I think the trust flag should include code signing by default since we
sign an object cert for Firefox. It would also probably be
forward-looking to go ahead and include clients as well.
Distributing CA certificates to clients
I think a certmonger CA-refresher backend should be done first. I echo
Martin's concerns about hourly polling and the load that entails. It
also doesn't cover all cases, like if you set up a web server using an
IPA cert there is no way to pick up the new CA.
Also, we issue a 20-year CA which means in the case where someone lets
it just run through there would be 175k polls to do nothing, then one to
get the new CA. That's a lot of cache misses.
Implementation
For the external case are you storing the original CSR anywhere? Do you
know how to generate a new CSR re-using the same key (I don't)?
rob
More information about the Freeipa-devel
mailing list