[Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal
Jan Cholasta
jcholast at redhat.com
Thu Jun 23 07:51:02 UTC 2016
Hi,
On 21.6.2016 08:24, Fraser Tweedale wrote:
> The attached patches add lightweight CA renewal. There are two
> substantive aspects:
>
> 1. The renew_ca_cert updates the serial number in the lightweight
> CA's entry in the Dogtag database. This causes CA clones to observe
> the renewal and update the certs in their own NSSDBs.
>
> 2. The ipa-certupdate command adds Certmonger tracking requests for
> lightweight CAs (on the renewal master only).
>
> Correct behaviour also depends on my patch 0069 (in-server API for
> renew_ca_cert script).
Patch 0072-0074: LGTM
Patch 0075:
1) Lightweight CA certs should be tracked by certmonger on all CA
servers, not just on the renewal master. The behavior should be the same
as for the main CA cert, i.e. the actual renewal is done only on the
renewal master, other CA servers only update their NSS DBs (this is
handled in dogtag-ipa-ca-renew-agent-submit).
This is important because CA renewal master can change at any time, and
without all CA certs being tracked on all CA servers, there is no
guarantee the renewal would happen.
2) Since CA clones update their NSS DBs on their own,
dogtag-ipa-ca-renew-agent should be updated not to put them in
cn=ca_renewal,cn=ipa,cn=etc.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list