On 22.8.2013 15:43, Jan Cholasta wrote:

I'm currently investigating support for multiple CA certificates in LDAP
<https://fedorahosted.org/freeipa/ticket/3520>). This will be useful for CA
certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>,
<https://fedorahosted.org/freeipa/ticket/3737>) and using certificates issued
by custom CAs for IPA HTTP and directory server instances

The biggest issue is how to make IPA clients aware of CA certificate changes.
One of the tickets suggests polling the LDAP server from SSSD. Would that be
sufficient? Perhaps a combination of polling and detecting certificate changes
when connecting to LDAP would be better?

Another issue is how to handle updating IPA systems with new CA
certificate(s). On clients it is probably sufficient to store the
certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple places
where the update needs to be done (HTTP and directory server NSS databases,
KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is unrealistic,
so there should be a way to do this externally. The simplest thing that comes
to mind is that SSSD would execute an external script to do the update when it
detects changes, but I'm not sure how well would that work with SELinux in the
picture. Is there a better way to do this?

It reminds me problems with key-rotation for DNSSEC.

Could we find common problems and use the same/similar solution for both 

An extension for certmonger? Oddjob? Or a completely new daemon?

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to