[Freeipa-devel] Multiple CA certificates in LDAP, questions

Dmitri Pal dpal at redhat.com
Tue Sep 3 16:16:43 UTC 2013 

On 09/02/2013 04:49 AM, Petr Spacek wrote:
> On 22.8.2013 15:43, Jan Cholasta wrote:
>> Hi,
>>
>> I'm currently investigating support for multiple CA certificates in LDAP
>> (<https://fedorahosted.org/freeipa/ticket/3259>,
>> <https://fedorahosted.org/freeipa/ticket/3520>). This will be useful
>> for CA
>> certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>,
>> <https://fedorahosted.org/freeipa/ticket/3737>) and using
>> certificates issued
>> by custom CAs for IPA HTTP and directory server instances
>> (<https://fedorahosted.org/freeipa/ticket/3641>).
>>
>> The biggest issue is how to make IPA clients aware of CA certificate
>> changes.
>> One of the tickets suggests polling the LDAP server from SSSD. Would
>> that be
>> sufficient? Perhaps a combination of polling and detecting
>> certificate changes
>> when connecting to LDAP would be better?
>>
>> Another issue is how to handle updating IPA systems with new CA
>> certificate(s). On clients it is probably sufficient to store the
>> certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple
>> places
>> where the update needs to be done (HTTP and directory server NSS
>> databases,
>> KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is
>> unrealistic,
>> so there should be a way to do this externally. The simplest thing
>> that comes
>> to mind is that SSSD would execute an external script to do the
>> update when it
>> detects changes, but I'm not sure how well would that work with
>> SELinux in the
>> picture. Is there a better way to do this?
>
> It reminds me problems with key-rotation for DNSSEC.
>
> Could we find common problems and use the same/similar solution for
> both problems?
>
> An extension for certmonger? Oddjob? Or a completely new daemon?
>
Certmonger already has a way to:
1) Check things periodically
2) Hand certs in different places
3) Run post op scripts

IMO it is a good candidate but I would leave it to Nalin to chime in.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list