[Freeipa-devel] [RFE] CA certificate renewal

[Rob Crittenden]

Jan Cholasta wrote:
> Hi,
>
> you can find a draft of the design document for this feature at
> <http://www.freeipa.org/page/V3/CA_certificate_renewal>.
>
> Comments are welcome.
>
> Honza
>

Shared certificate store.

DM should not be required. It may be required initially, but we have a 
long-term goal of removing the need to be DM to perform operations. Note 
that this would only probably be practical in a single-389-ds install.

Does readable by everyone include anonymous? I think it does but 
probably best to spell it out.

Automatic renewal of IPA CA certificate.

certmonger currently has no notification capabilities. How will anyone 
know that the renewal has failed unless they happen to run getcert list? 
Unfortunately I don't really have an answer. An MTA is looking more and 
more necessary.

What certmonger CA backend will be used for renewing an external CA? 
Perhaps that can be used as some sort of notification via syslog?

Are you sure you can change the signing chain, essentially on-the-fly? I 
imagine that the math will work ok but I don't know if changing the 
issuer is valid.

I think the trust flag should include code signing by default since we 
sign an object cert for Firefox. It would also probably be 
forward-looking to go ahead and include clients as well.

Distributing CA certificates to clients

I think a certmonger CA-refresher backend should be done first. I echo 
Martin's concerns about hourly polling and the load that entails. It 
also doesn't cover all cases, like if you set up a web server using an 
IPA cert there is no way to pick up the new CA.

Also, we issue a 20-year CA which means in the case where someone lets 
it just run through there would be 175k polls to do nothing, then one to 
get the new CA. That's a lot of cache misses.

Implementation

For the external case are you storing the original CSR anywhere? Do you 
know how to generate a new CSR re-using the same key (I don't)?

rob