[Freeipa-devel] Multiple CA certificates in LDAP, questions

Jan Cholasta jcholast at redhat.com
Fri Sep 13 08:51:24 UTC 2013 

On 5.9.2013 10:28, Jan Cholasta wrote:
> On 3.9.2013 18:16, Dmitri Pal wrote:
>> On 09/02/2013 04:49 AM, Petr Spacek wrote:
>>> On 22.8.2013 15:43, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> I'm currently investigating support for multiple CA certificates in
>>>> LDAP
>>>> (<https://fedorahosted.org/freeipa/ticket/3259>,
>>>> <https://fedorahosted.org/freeipa/ticket/3520>). This will be useful
>>>> for CA
>>>> certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>,
>>>> <https://fedorahosted.org/freeipa/ticket/3737>) and using
>>>> certificates issued
>>>> by custom CAs for IPA HTTP and directory server instances
>>>> (<https://fedorahosted.org/freeipa/ticket/3641>).
>>>>
>>>> The biggest issue is how to make IPA clients aware of CA certificate
>>>> changes.
>>>> One of the tickets suggests polling the LDAP server from SSSD. Would
>>>> that be
>>>> sufficient? Perhaps a combination of polling and detecting
>>>> certificate changes
>>>> when connecting to LDAP would be better?
>>>>
>>>> Another issue is how to handle updating IPA systems with new CA
>>>> certificate(s). On clients it is probably sufficient to store the
>>>> certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple
>>>> places
>>>> where the update needs to be done (HTTP and directory server NSS
>>>> databases,
>>>> KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is
>>>> unrealistic,
>>>> so there should be a way to do this externally. The simplest thing
>>>> that comes
>>>> to mind is that SSSD would execute an external script to do the
>>>> update when it
>>>> detects changes, but I'm not sure how well would that work with
>>>> SELinux in the
>>>> picture. Is there a better way to do this?
>>>
>>> It reminds me problems with key-rotation for DNSSEC.
>>>
>>> Could we find common problems and use the same/similar solution for
>>> both problems?
>>>
>>> An extension for certmonger? Oddjob? Or a completely new daemon?
>>>
>> Certmonger already has a way to:
>> 1) Check things periodically
>> 2) Hand certs in different places
>> 3) Run post op scripts
>>
>> IMO it is a good candidate but I would leave it to Nalin to chime in.
>>
>
> I would expect more things that require periodic checking on clients
> beyond certificates to come in the future, so I'm not sure if doing this
> in certmonger is the right thing to do. Also, SSSD already does a
> similar thing for realm domains, right?
>
> Honza
>

So, does anyone have any strong opinions on this?

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list