On 09/02/2013 04:49 AM, Petr Spacek wrote: > On 22.8.2013 15:43, Jan Cholasta wrote: >> Hi, >> >> I'm currently investigating support for multiple CA certificates in LDAP >> (<https://fedorahosted.org/freeipa/ticket/3259>, >> <https://fedorahosted.org/freeipa/ticket/3520>). This will be useful >> for CA >> certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>, >> <https://fedorahosted.org/freeipa/ticket/3737>) and using >> certificates issued >> by custom CAs for IPA HTTP and directory server instances >> (<https://fedorahosted.org/freeipa/ticket/3641>). >> >> The biggest issue is how to make IPA clients aware of CA certificate >> changes. >> One of the tickets suggests polling the LDAP server from SSSD. Would >> that be >> sufficient? Perhaps a combination of polling and detecting >> certificate changes >> when connecting to LDAP would be better? >> >> Another issue is how to handle updating IPA systems with new CA >> certificate(s). On clients it is probably sufficient to store the >> certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple >> places >> where the update needs to be done (HTTP and directory server NSS >> databases, >> KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is >> unrealistic, >> so there should be a way to do this externally. The simplest thing >> that comes >> to mind is that SSSD would execute an external script to do the >> update when it >> detects changes, but I'm not sure how well would that work with >> SELinux in the >> picture. Is there a better way to do this? > > It reminds me problems with key-rotation for DNSSEC. > > Could we find common problems and use the same/similar solution for > both problems? > > An extension for certmonger? Oddjob? Or a completely new daemon? > Certmonger already has a way to: 1) Check things periodically 2) Hand certs in different places 3) Run post op scripts
IMO it is a good candidate but I would leave it to Nalin to chime in. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
