I'm currently investigating support for multiple CA certificates in LDAP
<https://fedorahosted.org/freeipa/ticket/3520>). This will be useful for
CA certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>,
<https://fedorahosted.org/freeipa/ticket/3737>) and using certificates
issued by custom CAs for IPA HTTP and directory server instances
The biggest issue is how to make IPA clients aware of CA certificate
changes. One of the tickets suggests polling the LDAP server from SSSD.
Would that be sufficient? Perhaps a combination of polling and detecting
certificate changes when connecting to LDAP would be better?
Another issue is how to handle updating IPA systems with new CA
certificate(s). On clients it is probably sufficient to store the
certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple
places where the update needs to be done (HTTP and directory server NSS
databases, KDC pkinit_anchors file, etc.). IMO doing all this from SSSD
is unrealistic, so there should be a way to do this externally. The
simplest thing that comes to mind is that SSSD would execute an external
script to do the update when it detects changes, but I'm not sure how
well would that work with SELinux in the picture. Is there a better way
to do this?
Suggestions and ideas are welcome.
Freeipa-devel mailing list