[Freeipa-devel] [PATCHES] 241-253 CA certificate renewal

Jan Cholasta jcholast at redhat.com
Tue Mar 25 14:44:32 UTC 2014 

Hi,

the attached patches implement automatic CA certificate renewal as well 
as the initial version of the CA certificate management tool.

Requires my patches 172-196.

In order to test, you must install current git version of certmonger 
(see <https://fedorahosted.org/certmonger/ticket/26>) and set SELinux to 
permissive (see <https://bugzilla.redhat.com/show_bug.cgi?id=1078783>). 
Make sure you install certmonger before running 
ipa-server-install/ipa-replica-install. On F20 you can use RPMs located 
at <http://jcholast.fedorapeople.org/certmonger-git/>.

To test automatic renewal, move system time forward (see 
<https://fedorahosted.org/freeipa/ticket/2803#comment:17> for more info 
about certificate renewal testing, nickname of the CA certificate is 
"caSigningCert cert-pki-ca"). In CA-full installs the renewal should be 
fully automatic, in CA-less installs you should be alerted via syslog to 
renew the certificate using ipa-cacert-manage.

To test manual renewal, run "ipa-cacert-manage renew". You can run it on 
any CA master. To make the renewed certificate available on other CA 
masters, you must run "getcert resubmit -d /etc/pki/pki-tomcat/alias -n 
'caSigningCert cert-pki-ca'" on each of them. Note that currently you 
can't change the chaining of the CA certificate.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-241-Add-function-for-checking-if-certificate-is-self-sig.patch
Type: text/x-patch
Size: 897 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-242-Support-CA-certificate-renewal-in-dogtag-ipa-ca-rene.patch
Type: text/x-patch
Size: 2619 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-243-Allow-IPA-master-hosts-to-update-CA-certificate-in-L.patch
Type: text/x-patch
Size: 1130 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-244-Automatically-update-CA-certificate-in-LDAP-on-renew.patch
Type: text/x-patch
Size: 2304 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-245-Track-CA-certificate-using-dogtag-ipa-ca-renew-agent.patch
Type: text/x-patch
Size: 5096 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-246-Add-method-for-setting-CA-renewal-master-in-LDAP-to-.patch
Type: text/x-patch
Size: 1594 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-247-Provide-additional-functions-to-ipapython.certmonger.patch
Type: text/x-patch
Size: 1791 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-248-Move-external-cert-validation-from-ipa-server-instal.patch
Type: text/x-patch
Size: 6022 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-249-Add-method-for-verifying-CA-certificates-to-NSSDatab.patch
Type: text/x-patch
Size: 1646 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-250-Add-permissions-for-CA-certificate-renewal.patch
Type: text/x-patch
Size: 2917 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-251-Add-CA-certificate-management-tool-ipa-cacert-manage.patch
Type: text/x-patch
Size: 16475 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-252-Alert-user-when-externally-signed-CA-is-about-to-exp.patch
Type: text/x-patch
Size: 1717 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-253-Load-sysupgrade.state-on-demand.patch
Type: text/x-patch
Size: 1349 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140325/6decfd8a/attachment-0012.bin>

More information about the Freeipa-devel mailing list