[Freeipa-devel] [PATCH 0014] Support multiple user and host certificates

Thu May 28 09:52:25 UTC 2015

On 05/28/2015 11:17 AM, Martin Basti wrote:
> On 28/05/15 10:46, Martin Kosek wrote:
>> On 05/27/2015 06:12 PM, Martin Basti wrote:
>>> On 27/05/15 15:53, Fraser Tweedale wrote:
>>>> This patch adds supports for multiple user / host certificates.  No
>>>> schema change is needed ('usercertificate' attribute is already
>>>> multi-value).  The revoke-previous-cert behaviour of host-mod and
>>>> user-mod has been removed but revocation behaviour of -del and
>>>> -disable is preserved.
>>>>
>>>> The latest profiles/caacl patchset (0001..0013 v5) depends on this
>>>> patch for correct cert-request behaviour.
>>>>
>>>> There is one design question (or maybe more, let me know): the
>>>> `--out=FILENAME' option to {host,service} show saves ONE certificate
>>>> to the named file.  I propose to either:
>>>>
>>>> a) write all certs, suffixing suggested filename with either a
>>>>      sequential numerical index, e.g. "cert.pem" becomes
>>>>      "cert.pem.1", "cert.pem.2", and so on; or
>>>>
>>>> b) as above, but suffix with serial number and, if there are
>>>>      different issues, some issuer-identifying information.
>>>>
>>>> Let me know your thoughts.
>>>>
>>>> Thanks,
>>>> Fraser
>>>>
>>>>
>>> Is there a possible way how to store certificates into one file?
>>> I read about possibilities to have multiple certs in one .pem file, but I'm not
>>> cert guru :)
>>>
>>> I personally vote for serial number in case there are multiple certificates, if
>>> ^ is no possible.
>>>
>>>
>>> 1)
>>> +            if len(certs) > 0:
>>>
>>> please use only,
>>> if certs:
>>>
>>> 2)
>>> You need to re-generate API/ACI.txt in this patch
>>>
>>> 3)
>>> syntax error:
>>> +        for dercert in certs_der
>>>
>>>
>>> 4)
>>> command
>>> ipa user-mod ca_user --certificate=<ceritifcate>
>>>
>>> removes the current certificate from the LDAP, by design.
>>> Should be the old certificate(s) revoked? You removed that part in the code.
>> Good question. I think the suggestion was to have a global switch in IPA global
>> config that would configure the policy - whether the certificates removed by
>> this command or by host-del or host-disable are revoked or if they are just
>> removed (my motivation is to avoid behavior regression in case somebody
>> depended on this behavior).
> I would prefer to keep the current behavior: revoke the certificate if it was
> replaced or removed, instead of adding an extra configuration option.
> This behavior is not regression.

It is not. However, it is not an ideal behavior also. In FreeIPA 4.2, we are
now adding support of certificate profiles, multiple certificates and even
certificates for user.

With that change, there may be much more certificates in play than now. If we
keep revoking all such certificates, it may cause rapid growth of CRLs. This is
something I am trying to avoid with this proposal and default to not revoking
certificates automatically (which mostly only makes sense if there is a risk
that the key is compromised), but have some option to keep the old behavior.

Does this make sense?