[Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

Fraser Tweedale ftweedal at redhat.com
Fri Jun 17 07:34:27 UTC 2016 

On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote:
> Hi,
> 
> On 6.5.2016 08:01, Fraser Tweedale wrote:
> > Hullo all,
> > 
> > FreeIPA Lightweight CAs implementation is progressing well.  The
> > remaining big unknown in the design is how to do renewal.  I have
> > put my ideas into the design page[1] and would appreciate any and
> > all feedback!
> > 
> > [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal
> > 
> > Some brief commentary on the options:
> > 
> > I intend to implement approach (1) as a baseline.  Apart from
> > implementing machinery in Dogtag to actually perform the renewal -
> > which is required for all the approaches - it's not much work and
> > gets us over the "lightweight CAs can be renewed easily" line, even
> > if it is a manual process.
> > 
> > For automatic renewal, I am leaning towards approach (2).  Dogtag
> > owns the lightweight CAs so I think it makes sense to give Dogtag
> > the ability to renew them automatically (if configured to do so),
> > without relying on external tools i.e. Certmonger.  But as you will
> > see from the outlines, each approach has its upside and downside.
> 
> I would prefer (3), as I would very much like to avoid duplicating
> certmonger's functionality in Dogtag.
> 
> Some comments on the disadvantages:
> 
>   * "Proliferation of Certmonger tracking requests; one for each
> FreeIPA-managed lightweight CA."
> 
>     I don't think this is an actual issue, as it's purely cosmetic.
> 
>   * "Either lightweight CA creation is restricted to the renewal master, or
> the renewal master must observe the creation of new lightweight CAs and
> start tracking their certificate."
> 
>     IMO this doesn't have to be done automatically in the initial
> implementation. You could extend ipa-certupdate to set up certmonger for
> lightweight CAs and have admins run it manually on masters after adding a
> new lightweight CA. They will have to run it anyway to get the new
> lightweight CA certificate installed in the system, so it should be fine to
> do it this way.
> 
I have updated the renew_ca_cert post-save script to perform the
database update necessary for CA replicas to pick up the new cert.
What remains is the command to tell certmonger to track the CA.

You mentioned ipa-certupdate but perhaps ipa-cacert-manage is a
better fit, e.g.:

    ipa-cacert-manage track <CA-ID>

It would look up the necessary info (basically just the CA-ID) and
set up the certmonger tracking.

It could be an error to run the command on other than the renewal
master.

An untrack command could also be provided.

Thoughts?

>   * "Development of new Certmonger renewal helpers solely for lightweight CA
> renewal."
> 
>     It would be easier to extend the existing helpers. I don't think there
> is anything preventing them from being used for lighweight CAs, except not
> conveying the CA name, which should be easy to implement.
> 
> 
> I would also avoid starting with (1), I don't believe it adds any real
> value. IMHO the first thing that should be done is implement lightweight CA
> support in certmonger (add new 'request' / 'start-tracking' option for CA
> name, store it in tracking requests, pass it to CA helpers in a new
> environment variable).
> 
> 
> Honza
> 
> -- 
> Jan Cholasta

More information about the Pki-devel mailing list