[Freeipa-devel] Multiple CA certificates in LDAP, questions
Petr Spacek
pspacek at redhat.com
Mon Sep 2 08:49:58 UTC 2013
On 22.8.2013 15:43, Jan Cholasta wrote:
> Hi,
>
> I'm currently investigating support for multiple CA certificates in LDAP
> (<https://fedorahosted.org/freeipa/ticket/3259>,
> <https://fedorahosted.org/freeipa/ticket/3520>). This will be useful for CA
> certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>,
> <https://fedorahosted.org/freeipa/ticket/3737>) and using certificates issued
> by custom CAs for IPA HTTP and directory server instances
> (<https://fedorahosted.org/freeipa/ticket/3641>).
>
> The biggest issue is how to make IPA clients aware of CA certificate changes.
> One of the tickets suggests polling the LDAP server from SSSD. Would that be
> sufficient? Perhaps a combination of polling and detecting certificate changes
> when connecting to LDAP would be better?
>
> Another issue is how to handle updating IPA systems with new CA
> certificate(s). On clients it is probably sufficient to store the
> certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple places
> where the update needs to be done (HTTP and directory server NSS databases,
> KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is unrealistic,
> so there should be a way to do this externally. The simplest thing that comes
> to mind is that SSSD would execute an external script to do the update when it
> detects changes, but I'm not sure how well would that work with SELinux in the
> picture. Is there a better way to do this?
It reminds me problems with key-rotation for DNSSEC.
Could we find common problems and use the same/similar solution for both problems?
An extension for certmonger? Oddjob? Or a completely new daemon?
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list