[Freeipa-devel] [RFE] CA certificate renewal

Jan Cholasta jcholast at redhat.com
Mon Oct 7 18:20:26 UTC 2013 

On 7.10.2013 19:16, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> Hi,
>>
>> you can find a draft of the design document for this feature at
>> <http://www.freeipa.org/page/V3/CA_certificate_renewal>.
>>
>> Comments are welcome.
>>
>> Honza
>>
>
> Shared certificate store.
>
> DM should not be required. It may be required initially, but we have a
> long-term goal of removing the need to be DM to perform operations. Note
> that this would only probably be practical in a single-389-ds install.

OK.

Who should be allowed to update CA certificates? Should I add a new 
privilege for that?

>
> Does readable by everyone include anonymous? I think it does but
> probably best to spell it out.

Yes, it does.

>
> Automatic renewal of IPA CA certificate.
>
> certmonger currently has no notification capabilities. How will anyone
> know that the renewal has failed unless they happen to run getcert list?
> Unfortunately I don't really have an answer. An MTA is looking more and
> more necessary.

I agree.

>
> What certmonger CA backend will be used for renewing an external CA?
> Perhaps that can be used as some sort of notification via syslog?

New one I created for this purpose. It already syslogs the message with 
LOG_ERR level - a higher level would be better for this, right?

>
> Are you sure you can change the signing chain, essentially on-the-fly? I
> imagine that the math will work ok but I don't know if changing the
> issuer is valid.

It seems to work, as long as CS.cfg is update accordingly 
(hierarchy.select and subsystem.count are different for self-signed and 
signed by external CA).

>
> I think the trust flag should include code signing by default since we
> sign an object cert for Firefox. It would also probably be
> forward-looking to go ahead and include clients as well.

The trust flags are CT,C,C by default for the CA certificate issued by 
Dogtag. In CA-less installs, the object signing cert for Firefox is not 
created.

>
> Distributing CA certificates to clients
>
> I think a certmonger CA-refresher backend should be done first. I echo
> Martin's concerns about hourly polling and the load that entails. It
> also doesn't cover all cases, like if you set up a web server using an
> IPA cert there is no way to pick up the new CA.

Yes, it should, but I can't imagine how I could make it in time for 3.4. 
There's just not enough time, hence the cron-based solution.

>
> Also, we issue a 20-year CA which means in the case where someone lets
> it just run through there would be 175k polls to do nothing, then one to
> get the new CA. That's a lot of cache misses.

The script is run hourly, but it will not poll the server every time.

>
> Implementation
>
> For the external case are you storing the original CSR anywhere? Do you
> know how to generate a new CSR re-using the same key (I don't)?

Certmonger supplies the CSR to the CA helper in an environment variable, 
I export it from there.

>
> rob

Thanks for the review!

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list