[Freeipa-devel] Multiple CA certificates in LDAP, questions

Jan Cholasta jcholast at redhat.com
Thu Sep 5 08:28:36 UTC 2013 

On 3.9.2013 18:16, Dmitri Pal wrote:
> On 09/02/2013 04:49 AM, Petr Spacek wrote:
>> On 22.8.2013 15:43, Jan Cholasta wrote:
>>> Hi,
>>>
>>> I'm currently investigating support for multiple CA certificates in LDAP
>>> (<https://fedorahosted.org/freeipa/ticket/3259>,
>>> <https://fedorahosted.org/freeipa/ticket/3520>). This will be useful
>>> for CA
>>> certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>,
>>> <https://fedorahosted.org/freeipa/ticket/3737>) and using
>>> certificates issued
>>> by custom CAs for IPA HTTP and directory server instances
>>> (<https://fedorahosted.org/freeipa/ticket/3641>).
>>>
>>> The biggest issue is how to make IPA clients aware of CA certificate
>>> changes.
>>> One of the tickets suggests polling the LDAP server from SSSD. Would
>>> that be
>>> sufficient? Perhaps a combination of polling and detecting
>>> certificate changes
>>> when connecting to LDAP would be better?
>>>
>>> Another issue is how to handle updating IPA systems with new CA
>>> certificate(s). On clients it is probably sufficient to store the
>>> certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple
>>> places
>>> where the update needs to be done (HTTP and directory server NSS
>>> databases,
>>> KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is
>>> unrealistic,
>>> so there should be a way to do this externally. The simplest thing
>>> that comes
>>> to mind is that SSSD would execute an external script to do the
>>> update when it
>>> detects changes, but I'm not sure how well would that work with
>>> SELinux in the
>>> picture. Is there a better way to do this?
>>
>> It reminds me problems with key-rotation for DNSSEC.
>>
>> Could we find common problems and use the same/similar solution for
>> both problems?
>>
>> An extension for certmonger? Oddjob? Or a completely new daemon?
>>
> Certmonger already has a way to:
> 1) Check things periodically
> 2) Hand certs in different places
> 3) Run post op scripts
>
> IMO it is a good candidate but I would leave it to Nalin to chime in.
>

I would expect more things that require periodic checking on clients 
beyond certificates to come in the future, so I'm not sure if doing this 
in certmonger is the right thing to do. Also, SSSD already does a 
similar thing for realm domains, right?

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list