On 21.6.2016 08:24, Fraser Tweedale wrote:
The attached patches add lightweight CA renewal.  There are two
substantive aspects:

1. The renew_ca_cert updates the serial number in the lightweight
CA's entry in the Dogtag database.  This causes CA clones to observe
the renewal and update the certs in their own NSSDBs.

2. The ipa-certupdate command adds Certmonger tracking requests for
lightweight CAs (on the renewal master only).

Correct behaviour also depends on my patch 0069 (in-server API for
renew_ca_cert script).

Patch 0072-0074: LGTM

Patch 0075:

1) Lightweight CA certs should be tracked by certmonger on all CA servers, not just on the renewal master. The behavior should be the same as for the main CA cert, i.e. the actual renewal is done only on the renewal master, other CA servers only update their NSS DBs (this is handled in dogtag-ipa-ca-renew-agent-submit).

This is important because CA renewal master can change at any time, and without all CA certs being tracked on all CA servers, there is no guarantee the renewal would happen.

2) Since CA clones update their NSS DBs on their own, dogtag-ipa-ca-renew-agent should be updated not to put them in cn=ca_renewal,cn=ipa,cn=etc.


Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to