On Thu, May 25, 2017 at 01:34:16AM -0400, Rob Foehl via FreeIPA-users wrote:
> I've got a test instance of FreeIPA 4.4.4 running on F25 that was installed
> with --external-ca, and the resulting CSR signed with a validity period of
> 30 days to test behavior around expirations.
> 
> Upon booting that instance today, certmonger decided to preemptively renew
> every IPA cert -- which is a good thing -- but did so without waiting for
> renewal of the IPA CA cert first, which is less good.  Now that instance has
> a pile of certs that expire in two weeks, since they were signed with and
> thus tied to the expiration of the old IPA CA cert.
> 
This is not correct.  The CA cert must be valid for the leaf cert to
be valid, but the CA cert *can* be renewed without requiring leaf
certificates to be reissued.  So long as the following conditions
are met, everything will be fine:

1. The CA's key (and Subject Key Identifier) do not change
2. The CA's Subject DN does not change
3. The new CA certificate gets distributed to clients.

Cheers,
Fraser

> While I'm guessing certmonger will figure this out and do the right thing
> within a couple weeks -- and with the expectation that this would only
> happen once per IPA CA renewal with a "real" deployment -- is this the
> intended behavior?
> 
> Logs are a bit of a mess between this and a potentially-resolved SELinux
> issue with certmonger, but I'll wedge them all into a proper bug report if
> desired.
> 
> -Rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to