On 21.6.2016 08:24, Fraser Tweedale wrote:
The attached patches add lightweight CA renewal. There are two
1. The renew_ca_cert updates the serial number in the lightweight
CA's entry in the Dogtag database. This causes CA clones to observe
the renewal and update the certs in their own NSSDBs.
2. The ipa-certupdate command adds Certmonger tracking requests for
lightweight CAs (on the renewal master only).
Correct behaviour also depends on my patch 0069 (in-server API for
Patch 0072-0074: LGTM
1) Lightweight CA certs should be tracked by certmonger on all CA
servers, not just on the renewal master. The behavior should be the same
as for the main CA cert, i.e. the actual renewal is done only on the
renewal master, other CA servers only update their NSS DBs (this is
handled in dogtag-ipa-ca-renew-agent-submit).
This is important because CA renewal master can change at any time, and
without all CA certs being tracked on all CA servers, there is no
guarantee the renewal would happen.
2) Since CA clones update their NSS DBs on their own,
dogtag-ipa-ca-renew-agent should be updated not to put them in
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code