[Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs

Jan Cholasta jcholast at redhat.com
Tue Sep 6 08:19:14 UTC 2016 

On 5.9.2016 17:30, Fraser Tweedale wrote:
> On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote:
>> On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 26.8.2016 07:42, Fraser Tweedale wrote:
>>>> On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote:
>>>>> Hi all,
>>>>>
>>>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221.
>>>>> It depends on Honza's PR #20
>>>>> https://github.com/freeipa/freeipa/pull/20.
>>>>>
>>>>> Thanks,
>>>>> Fraser
>>>>>
>>>> It does help to attach the patch :)
>>>
>>> I think it would be better to call cert-find once per host-del/service-del
>>> with the --host/--service option specified. That way you'll get all
>>> certificates for the given host/service at once.
>>>
>>> Honza
>>>
>> I agree that is a nicer approach.
>>
>> 'revoke_certs' is called from several other places besides just
>> host/service_del.  If we want to land this fix Real Soon I'd suggest
>> we either:
>>
>> A) Define function 'revoke_certs_from_cert_find', call it from
>> host/service_del, and leave 'revoke_certs' alone; or
>>
>> B) Land the patch as-is and do a bigger refactor at a later time.
>>
>> What do you think?

C) Use cert-find-based revoke_certs() everywhere; use the --certificate 
option of cert-find in the other places to get information about 
specific certificates.

>>
> Updated patch for option (A) is attached.

1) Instead of

         if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}:

use:

         if result['revoked']:


2)

+        if 'cacn' not in cert:
+            # cert is known to Dogtag, but CA appears to have been
+            # deleted.  We cannot revoke this cert via IPA anymore.
+            # We could go directly to Dogtag to revoke it, but the
+            # issuer's cert should have been revoked so never mind.
+            continue

Or, it could be a cert issued by a 3rd party CA.


3) host-mod/service-mod do not revoke certs:

$ ipa cert-request test.csr --principal host/test.example.com
   Serial number: 13

$ ipa cert-show 13
   Revoked: False
   Owner host: test.example.com

$ ipa host-mod test.example.com --certificate=

$ ipa cert-show 13
   Revoked: False


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list