[Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

Jan Cholasta jcholast at redhat.com
Tue May 10 08:41:59 UTC 2016 

On 9.5.2016 18:27, Petr Vobornik wrote:
> On 05/09/2016 09:35 AM, Jan Cholasta wrote:
>> Hi,
>>
>> On 6.5.2016 08:01, Fraser Tweedale wrote:
>>> Hullo all,
>>>
>>> FreeIPA Lightweight CAs implementation is progressing well.  The
>>> remaining big unknown in the design is how to do renewal.  I have
>>> put my ideas into the design page[1] and would appreciate any and
>>> all feedback!
>>>
>>> [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal
>>>
>>> Some brief commentary on the options:
>>>
>>> I intend to implement approach (1) as a baseline.  Apart from
>>> implementing machinery in Dogtag to actually perform the renewal -
>>> which is required for all the approaches - it's not much work and
>>> gets us over the "lightweight CAs can be renewed easily" line, even
>>> if it is a manual process.
>>>
>>> For automatic renewal, I am leaning towards approach (2).  Dogtag
>>> owns the lightweight CAs so I think it makes sense to give Dogtag
>>> the ability to renew them automatically (if configured to do so),
>>> without relying on external tools i.e. Certmonger.  But as you will
>>> see from the outlines, each approach has its upside and downside.
>>
>> I would prefer (3), as I would very much like to avoid duplicating
>> certmonger's functionality in Dogtag.
>>
>> Some comments on the disadvantages:
>>
>>   * "Proliferation of Certmonger tracking requests; one for each
>> FreeIPA-managed lightweight CA."
>>
>>     I don't think this is an actual issue, as it's purely cosmetic.
>>
>>   * "Either lightweight CA creation is restricted to the renewal master,
>> or the renewal master must observe the creation of new lightweight CAs
>> and start tracking their certificate."
>>
>>     IMO this doesn't have to be done automatically in the initial
>> implementation. You could extend ipa-certupdate to set up certmonger for
>> lightweight CAs and have admins run it manually on masters after adding
>> a new lightweight CA. They will have to run it anyway to get the new
>> lightweight CA certificate installed in the system, so it should be fine
>> to do it this way.
>
> I'm afraid that it can lead to errors where admins would distribute the
> cert by other means and as a result this command would not be run on
> renewal master even though it is easier. But it is still better than #1
> without auto-renewal mechanism.

Admins can screw up using any of the proposed approaches, so IMHO this 
argument is invalid :-)

>
>>
>>   * "Development of new Certmonger renewal helpers solely for
>> lightweight CA renewal."
>>
>>     It would be easier to extend the existing helpers. I don't think
>> there is anything preventing them from being used for lighweight CAs,
>> except not conveying the CA name, which should be easy to implement.
>>
>>
>> I would also avoid starting with (1), I don't believe it adds any real
>> value. IMHO the first thing that should be done is implement lightweight
>> CA support in certmonger (add new 'request' / 'start-tracking' option
>> for CA name, store it in tracking requests, pass it to CA helpers in a
>> new environment variable).
>>
>>
>> Honza
>>


-- 
Jan Cholasta

More information about the Pki-devel mailing list