[Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

Petr Vobornik pvoborni at redhat.com
Mon May 9 16:27:19 UTC 2016 

On 05/09/2016 09:35 AM, Jan Cholasta wrote:
> Hi,
> 
> On 6.5.2016 08:01, Fraser Tweedale wrote:
>> Hullo all,
>>
>> FreeIPA Lightweight CAs implementation is progressing well.  The
>> remaining big unknown in the design is how to do renewal.  I have
>> put my ideas into the design page[1] and would appreciate any and
>> all feedback!
>>
>> [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal
>>
>> Some brief commentary on the options:
>>
>> I intend to implement approach (1) as a baseline.  Apart from
>> implementing machinery in Dogtag to actually perform the renewal -
>> which is required for all the approaches - it's not much work and
>> gets us over the "lightweight CAs can be renewed easily" line, even
>> if it is a manual process.
>>
>> For automatic renewal, I am leaning towards approach (2).  Dogtag
>> owns the lightweight CAs so I think it makes sense to give Dogtag
>> the ability to renew them automatically (if configured to do so),
>> without relying on external tools i.e. Certmonger.  But as you will
>> see from the outlines, each approach has its upside and downside.
> 
> I would prefer (3), as I would very much like to avoid duplicating
> certmonger's functionality in Dogtag.
> 
> Some comments on the disadvantages:
> 
>   * "Proliferation of Certmonger tracking requests; one for each
> FreeIPA-managed lightweight CA."
> 
>     I don't think this is an actual issue, as it's purely cosmetic.
> 
>   * "Either lightweight CA creation is restricted to the renewal master,
> or the renewal master must observe the creation of new lightweight CAs
> and start tracking their certificate."
> 
>     IMO this doesn't have to be done automatically in the initial
> implementation. You could extend ipa-certupdate to set up certmonger for
> lightweight CAs and have admins run it manually on masters after adding
> a new lightweight CA. They will have to run it anyway to get the new
> lightweight CA certificate installed in the system, so it should be fine
> to do it this way.

I'm afraid that it can lead to errors where admins would distribute the
cert by other means and as a result this command would not be run on
renewal master even though it is easier. But it is still better than #1
without auto-renewal mechanism.

> 
>   * "Development of new Certmonger renewal helpers solely for
> lightweight CA renewal."
> 
>     It would be easier to extend the existing helpers. I don't think
> there is anything preventing them from being used for lighweight CAs,
> except not conveying the CA name, which should be easy to implement.
> 
> 
> I would also avoid starting with (1), I don't believe it adds any real
> value. IMHO the first thing that should be done is implement lightweight
> CA support in certmonger (add new 'request' / 'start-tracking' option
> for CA name, store it in tracking requests, pass it to CA helpers in a
> new environment variable).
> 
> 
> Honza
> 
-- 
Petr Vobornik

More information about the Pki-devel mailing list