[Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal
Jan Cholasta
jcholast at redhat.com
Wed Jun 29 06:55:41 UTC 2016
On 24.6.2016 08:49, Fraser Tweedale wrote:
> On Thu, Jun 23, 2016 at 09:51:02AM +0200, Jan Cholasta wrote:
>> Hi,
>>
>> On 21.6.2016 08:24, Fraser Tweedale wrote:
>>> The attached patches add lightweight CA renewal. There are two
>>> substantive aspects:
>>>
>>> 1. The renew_ca_cert updates the serial number in the lightweight
>>> CA's entry in the Dogtag database. This causes CA clones to observe
>>> the renewal and update the certs in their own NSSDBs.
>>>
>>> 2. The ipa-certupdate command adds Certmonger tracking requests for
>>> lightweight CAs (on the renewal master only).
>>>
>>> Correct behaviour also depends on my patch 0069 (in-server API for
>>> renew_ca_cert script).
>>
>> Patch 0072-0074: LGTM
>>
>> Patch 0075:
>>
>> 1) Lightweight CA certs should be tracked by certmonger on all CA servers,
>> not just on the renewal master. The behavior should be the same as for the
>> main CA cert, i.e. the actual renewal is done only on the renewal master,
>> other CA servers only update their NSS DBs (this is handled in
>> dogtag-ipa-ca-renew-agent-submit).
>>
>> This is important because CA renewal master can change at any time, and
>> without all CA certs being tracked on all CA servers, there is no guarantee
>> the renewal would happen.
>>
>> 2) Since CA clones update their NSS DBs on their own,
>> dogtag-ipa-ca-renew-agent should be updated not to put them in
>> cn=ca_renewal,cn=ipa,cn=etc.
>>
> Thanks for the review, Honza. Updated patch 0075-2 attached.
Thanks, ACK.
Rebased patch 0072 and pushed to master:
0078e7a9192a940104d8f6621b33d24d814c109b
It would be nice if lightweight CAs known at replica install time were
tracked without having to manually run ipa-certupdate after
ipa-replica-install. Shall I file a ticket for this, or will you be able
to provide a patch before Friday?
--
Jan Cholasta
More information about the Freeipa-devel
mailing list