[Freeipa-devel] certmonger everywhere

Simo Sorce ssorce at redhat.com
Tue Dec 15 17:22:56 UTC 2015 

On Tue, 2015-12-15 at 16:23 +0100, Martin Kosek wrote:
> On 12/15/2015 08:54 AM, Jan Cholasta wrote:
> > Hi,
> > 
> > recently I and David discussed the direction of installers with regard to
> > requesting certificates. Currently there are four (!) different ways of
> > requesting certificates in the installer [1][2][3][4]. We would like to reduce
> > it to one.
> > 
> > Since all the certificates are tracked by certmonger and certmonger already
> > knows how to request certificates from Dogtag (and other CAs), we believe that
> > all certificates should be requested using certmonger.
> > 
> > Taking our meditation further, we thought "Why not use certmonger for the
> > cert-request command as well?" What is the benefit, do you ask?
> > 
> >  a) single code path for requesting certificates (seriously, the current state
> > is ridiculous)
> > 
> >  b) use any CA supported by certmonger as the IPA CA (i.e. Let's Encrypt [5],
> > once certmonger gains support for it)
> > 
> >  c) automate external CA install, using any CA supported by certmonger [6]
> > 
> >  d) support multiple different CAs at once (generalization of the Sub-CA feature)
> > 
> >  e) uniform configuration on clients (configure once, use forever, even for
> > CA-less)
> > 
> > The idea is to store configuration for the different CAs in LDAP and have
> > cert-request redirect requests to a proper CA helper according to that
> > configuration. This would require a new certmonger D-Bus method to call a CA
> > helper without associated certificate storage, but that should be rather easy
> > to add. In return, it would be possible to do all of the above.
> > 
> > Note that this should not conflict with tighter integration with Dogtag
> > (profiles, ACLs, etc.).
> > 
> > Comments are welcome.
> > 
> > Honza
> > 
> > [1]
> > <https://git.fedorahosted.org/cgit/freeipa.git/tree/ipapython/certmonger.py#n305>
> > [2]
> > <https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/certs.py#n329>
> > 
> > [3]
> > <https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/certs.py#n355>
> > 
> > [4]
> > <https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/cainstance.py#n878>
> > 
> > [5] <https://fedorahosted.org/freeipa/ticket/5431>
> > [6] <https://fedorahosted.org/freeipa/ticket/5317>
> 
> Interesting idea! I would be definitely interested to hear what Fraser, Rob or
> Simo thinks here.

Sounds great to me in principle.

How do you handle CAs that do not have automatic workflows for csr
handling ?

That's the reason we did the 2 step process (in reference to [6])

Simo.

More information about the Freeipa-devel mailing list