[Freeipa-devel] Multiple CA certificates in LDAP, questions
Martin Kosek
mkosek at redhat.com
Fri Sep 13 08:53:36 UTC 2013
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
> On 5.9.2013 10:28, Jan Cholasta wrote:
>> On 3.9.2013 18:16, Dmitri Pal wrote:
>>> On 09/02/2013 04:49 AM, Petr Spacek wrote:
>>>> On 22.8.2013 15:43, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> I'm currently investigating support for multiple CA certificates in
>>>>> LDAP
>>>>> (<https://fedorahosted.org/freeipa/ticket/3259>,
>>>>> <https://fedorahosted.org/freeipa/ticket/3520>). This will be useful
>>>>> for CA
>>>>> certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>,
>>>>> <https://fedorahosted.org/freeipa/ticket/3737>) and using
>>>>> certificates issued
>>>>> by custom CAs for IPA HTTP and directory server instances
>>>>> (<https://fedorahosted.org/freeipa/ticket/3641>).
>>>>>
>>>>> The biggest issue is how to make IPA clients aware of CA certificate
>>>>> changes.
>>>>> One of the tickets suggests polling the LDAP server from SSSD. Would
>>>>> that be
>>>>> sufficient? Perhaps a combination of polling and detecting
>>>>> certificate changes
>>>>> when connecting to LDAP would be better?
>>>>>
>>>>> Another issue is how to handle updating IPA systems with new CA
>>>>> certificate(s). On clients it is probably sufficient to store the
>>>>> certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple
>>>>> places
>>>>> where the update needs to be done (HTTP and directory server NSS
>>>>> databases,
>>>>> KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is
>>>>> unrealistic,
>>>>> so there should be a way to do this externally. The simplest thing
>>>>> that comes
>>>>> to mind is that SSSD would execute an external script to do the
>>>>> update when it
>>>>> detects changes, but I'm not sure how well would that work with
>>>>> SELinux in the
>>>>> picture. Is there a better way to do this?
>>>>
>>>> It reminds me problems with key-rotation for DNSSEC.
>>>>
>>>> Could we find common problems and use the same/similar solution for
>>>> both problems?
>>>>
>>>> An extension for certmonger? Oddjob? Or a completely new daemon?
>>>>
>>> Certmonger already has a way to:
>>> 1) Check things periodically
>>> 2) Hand certs in different places
>>> 3) Run post op scripts
>>>
>>> IMO it is a good candidate but I would leave it to Nalin to chime in.
>>>
>>
>> I would expect more things that require periodic checking on clients
>> beyond certificates to come in the future, so I'm not sure if doing this
>> in certmonger is the right thing to do. Also, SSSD already does a
>> similar thing for realm domains, right?
Are you suggesting extending SSSD to handle that?
>>
>> Honza
>>
>
> So, does anyone have any strong opinions on this?
Not at this point. BTW, is there any reason why we cannot go the simple way and
just utilize cron and a script? Previously we just dropped conf to /etc/cron.d
for ipa-compliance script and it worked quite well.
Martin
More information about the Freeipa-devel
mailing list