[Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal
Jan Cholasta
jcholast at redhat.com
Wed Jun 29 07:30:17 UTC 2016
On 29.6.2016 08:55, Jan Cholasta wrote:
> On 24.6.2016 08:49, Fraser Tweedale wrote:
>> On Thu, Jun 23, 2016 at 09:51:02AM +0200, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 21.6.2016 08:24, Fraser Tweedale wrote:
>>>> The attached patches add lightweight CA renewal. There are two
>>>> substantive aspects:
>>>>
>>>> 1. The renew_ca_cert updates the serial number in the lightweight
>>>> CA's entry in the Dogtag database. This causes CA clones to observe
>>>> the renewal and update the certs in their own NSSDBs.
>>>>
>>>> 2. The ipa-certupdate command adds Certmonger tracking requests for
>>>> lightweight CAs (on the renewal master only).
>>>>
>>>> Correct behaviour also depends on my patch 0069 (in-server API for
>>>> renew_ca_cert script).
>>>
>>> Patch 0072-0074: LGTM
>>>
>>> Patch 0075:
>>>
>>> 1) Lightweight CA certs should be tracked by certmonger on all CA
>>> servers,
>>> not just on the renewal master. The behavior should be the same as
>>> for the
>>> main CA cert, i.e. the actual renewal is done only on the renewal
>>> master,
>>> other CA servers only update their NSS DBs (this is handled in
>>> dogtag-ipa-ca-renew-agent-submit).
>>>
>>> This is important because CA renewal master can change at any time, and
>>> without all CA certs being tracked on all CA servers, there is no
>>> guarantee
>>> the renewal would happen.
>>>
>>> 2) Since CA clones update their NSS DBs on their own,
>>> dogtag-ipa-ca-renew-agent should be updated not to put them in
>>> cn=ca_renewal,cn=ipa,cn=etc.
>>>
>> Thanks for the review, Honza. Updated patch 0075-2 attached.
>
> Thanks, ACK.
>
> Rebased patch 0072 and pushed to master:
> 0078e7a9192a940104d8f6621b33d24d814c109b
>
> It would be nice if lightweight CAs known at replica install time were
> tracked without having to manually run ipa-certupdate after
> ipa-replica-install. Shall I file a ticket for this, or will you be able
> to provide a patch before Friday?
Also, the certs should be untracked on server uninstall.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list