[Freeipa-users] yet another certificate question

[Rob Crittenden]

Natxo Asenjo wrote:
> On Thu, Oct 9, 2014 at 2:33 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>> hi,
>>
>> if during the enrollment of a host a host certificate is created, then
>> this will be a nssdb type certificate.
>>
>> However, lots of applications use file certificates and we can very
>> easily create one of those (even using configuration management
>> tools):
>>
>> /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
>> --fqdn`.crt -k /etc/pki/tls/private/`hostname --fqdn`.key
>>
>> getcert list will see both, but in the ipa web interface in the host
>> information only the last one will be shown.
> 
> well, replying to mysel, the attribute userCertificate appears to be
> single valued. So that must be why.
> 
> So what happens with the other certificate in the nssdb directory? Can
> I just stop tracking it locally? Or do I have to stop tracking it
> because it will try to auto renew when it expires, and that will block
> the file certificate?

I was going to wait a bit as you've seem to be doing a great job
answering your own questions in this thread :-)

As you've discovered, it's one cert per service (or host). What you
aren't seeing is that when you request another cert for the same service
any existing certificate is revoked. If/when you start using OCSP or
CRLs you'll see it big time.

I think renewal will work ok for both but the last one would "win" and
all others would end up being marked as revoked.

So yeah, you should stop tracking it. I suspect that unless the renewal
happened simultaneously both would end up renewed, but one would be
revoked (last one wins).

You may want to look into per-service certificates using the -K
<principal> option to ipa-getcert. This will require pre-creating the
services in IPA to store the certificate but otherwise it will function
the same way.

rob