[Freeipa-devel] Multiple CA certificates in LDAP, questions
Jakub Hrozek
jhrozek at redhat.com
Fri Sep 13 11:47:11 UTC 2013
On Thu, Sep 05, 2013 at 10:28:36AM +0200, Jan Cholasta wrote:
> On 3.9.2013 18:16, Dmitri Pal wrote:
> >On 09/02/2013 04:49 AM, Petr Spacek wrote:
> >>On 22.8.2013 15:43, Jan Cholasta wrote:
> >>>Hi,
> >>>
> >>>I'm currently investigating support for multiple CA certificates in LDAP
> >>>(<https://fedorahosted.org/freeipa/ticket/3259>,
> >>><https://fedorahosted.org/freeipa/ticket/3520>). This will be useful
> >>>for CA
> >>>certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>,
> >>><https://fedorahosted.org/freeipa/ticket/3737>) and using
> >>>certificates issued
> >>>by custom CAs for IPA HTTP and directory server instances
> >>>(<https://fedorahosted.org/freeipa/ticket/3641>).
> >>>
> >>>The biggest issue is how to make IPA clients aware of CA certificate
> >>>changes.
> >>>One of the tickets suggests polling the LDAP server from SSSD. Would
> >>>that be
> >>>sufficient? Perhaps a combination of polling and detecting
> >>>certificate changes
> >>>when connecting to LDAP would be better?
> >>>
> >>>Another issue is how to handle updating IPA systems with new CA
> >>>certificate(s). On clients it is probably sufficient to store the
> >>>certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple
> >>>places
> >>>where the update needs to be done (HTTP and directory server NSS
> >>>databases,
> >>>KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is
> >>>unrealistic,
> >>>so there should be a way to do this externally. The simplest thing
> >>>that comes
> >>>to mind is that SSSD would execute an external script to do the
> >>>update when it
> >>>detects changes, but I'm not sure how well would that work with
> >>>SELinux in the
> >>>picture. Is there a better way to do this?
> >>
> >>It reminds me problems with key-rotation for DNSSEC.
> >>
> >>Could we find common problems and use the same/similar solution for
> >>both problems?
> >>
> >>An extension for certmonger? Oddjob? Or a completely new daemon?
> >>
> >Certmonger already has a way to:
> >1) Check things periodically
> >2) Hand certs in different places
> >3) Run post op scripts
> >
> >IMO it is a good candidate but I would leave it to Nalin to chime in.
> >
>
> I would expect more things that require periodic checking on clients
> beyond certificates to come in the future, so I'm not sure if doing
> this in certmonger is the right thing to do. Also, SSSD already does
> a similar thing for realm domains, right?
>
> Honza
Sorry, didn't notice the "sssd" keyword until now.
Yes, we re-check and update domains every 30 seconds and right after
startup as well.
More information about the Freeipa-devel
mailing list