[Freeipa-devel] certmonger everywhere

Jan Cholasta jcholast at redhat.com
Tue Dec 15 07:54:19 UTC 2015 

Hi,

recently I and David discussed the direction of installers with regard 
to requesting certificates. Currently there are four (!) different ways 
of requesting certificates in the installer [1][2][3][4]. We would like 
to reduce it to one.

Since all the certificates are tracked by certmonger and certmonger 
already knows how to request certificates from Dogtag (and other CAs), 
we believe that all certificates should be requested using certmonger.

Taking our meditation further, we thought "Why not use certmonger for 
the cert-request command as well?" What is the benefit, do you ask?

  a) single code path for requesting certificates (seriously, the 
current state is ridiculous)

  b) use any CA supported by certmonger as the IPA CA (i.e. Let's 
Encrypt [5], once certmonger gains support for it)

  c) automate external CA install, using any CA supported by certmonger [6]

  d) support multiple different CAs at once (generalization of the 
Sub-CA feature)

  e) uniform configuration on clients (configure once, use forever, even 
for CA-less)

The idea is to store configuration for the different CAs in LDAP and 
have cert-request redirect requests to a proper CA helper according to 
that configuration. This would require a new certmonger D-Bus method to 
call a CA helper without associated certificate storage, but that should 
be rather easy to add. In return, it would be possible to do all of the 
above.

Note that this should not conflict with tighter integration with Dogtag 
(profiles, ACLs, etc.).

Comments are welcome.

Honza

[1] 
<https://git.fedorahosted.org/cgit/freeipa.git/tree/ipapython/certmonger.py#n305>
[2] 
<https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/certs.py#n329>
[3] 
<https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/certs.py#n355>
[4] 
<https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/cainstance.py#n878>
[5] <https://fedorahosted.org/freeipa/ticket/5431>
[6] <https://fedorahosted.org/freeipa/ticket/5317>

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list