On 9.5.2016 18:27, Petr Vobornik wrote:
On 05/09/2016 09:35 AM, Jan Cholasta wrote:
Hi,

On 6.5.2016 08:01, Fraser Tweedale wrote:
Hullo all,

FreeIPA Lightweight CAs implementation is progressing well.  The
remaining big unknown in the design is how to do renewal.  I have
put my ideas into the design page[1] and would appreciate any and
all feedback!

[1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal

Some brief commentary on the options:

I intend to implement approach (1) as a baseline.  Apart from
implementing machinery in Dogtag to actually perform the renewal -
which is required for all the approaches - it's not much work and
gets us over the "lightweight CAs can be renewed easily" line, even
if it is a manual process.

For automatic renewal, I am leaning towards approach (2).  Dogtag
owns the lightweight CAs so I think it makes sense to give Dogtag
the ability to renew them automatically (if configured to do so),
without relying on external tools i.e. Certmonger.  But as you will
see from the outlines, each approach has its upside and downside.

I would prefer (3), as I would very much like to avoid duplicating
certmonger's functionality in Dogtag.

Some comments on the disadvantages:

  * "Proliferation of Certmonger tracking requests; one for each
FreeIPA-managed lightweight CA."

    I don't think this is an actual issue, as it's purely cosmetic.

  * "Either lightweight CA creation is restricted to the renewal master,
or the renewal master must observe the creation of new lightweight CAs
and start tracking their certificate."

    IMO this doesn't have to be done automatically in the initial
implementation. You could extend ipa-certupdate to set up certmonger for
lightweight CAs and have admins run it manually on masters after adding
a new lightweight CA. They will have to run it anyway to get the new
lightweight CA certificate installed in the system, so it should be fine
to do it this way.

I'm afraid that it can lead to errors where admins would distribute the
cert by other means and as a result this command would not be run on
renewal master even though it is easier. But it is still better than #1
without auto-renewal mechanism.

Admins can screw up using any of the proposed approaches, so IMHO this argument is invalid :-)



  * "Development of new Certmonger renewal helpers solely for
lightweight CA renewal."

    It would be easier to extend the existing helpers. I don't think
there is anything preventing them from being used for lighweight CAs,
except not conveying the CA name, which should be easy to implement.


I would also avoid starting with (1), I don't believe it adds any real
value. IMHO the first thing that should be done is implement lightweight
CA support in certmonger (add new 'request' / 'start-tracking' option
for CA name, store it in tracking requests, pass it to CA helpers in a
new environment variable).


Honza



--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to