On 24.6.2016 08:49, Fraser Tweedale wrote:
On Thu, Jun 23, 2016 at 09:51:02AM +0200, Jan Cholasta wrote:
Hi,

On 21.6.2016 08:24, Fraser Tweedale wrote:
The attached patches add lightweight CA renewal.  There are two
substantive aspects:

1. The renew_ca_cert updates the serial number in the lightweight
CA's entry in the Dogtag database.  This causes CA clones to observe
the renewal and update the certs in their own NSSDBs.

2. The ipa-certupdate command adds Certmonger tracking requests for
lightweight CAs (on the renewal master only).

Correct behaviour also depends on my patch 0069 (in-server API for
renew_ca_cert script).

Patch 0072-0074: LGTM

Patch 0075:

1) Lightweight CA certs should be tracked by certmonger on all CA servers,
not just on the renewal master. The behavior should be the same as for the
main CA cert, i.e. the actual renewal is done only on the renewal master,
other CA servers only update their NSS DBs (this is handled in
dogtag-ipa-ca-renew-agent-submit).

This is important because CA renewal master can change at any time, and
without all CA certs being tracked on all CA servers, there is no guarantee
the renewal would happen.

2) Since CA clones update their NSS DBs on their own,
dogtag-ipa-ca-renew-agent should be updated not to put them in
cn=ca_renewal,cn=ipa,cn=etc.

Thanks for the review, Honza.  Updated patch 0075-2 attached.

Thanks, ACK.

Rebased patch 0072 and pushed to master: 0078e7a9192a940104d8f6621b33d24d814c109b

It would be nice if lightweight CAs known at replica install time were tracked without having to manually run ipa-certupdate after ipa-replica-install. Shall I file a ticket for this, or will you be able to provide a patch before Friday?

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to