Rob Foehl via FreeIPA-users wrote:
> On Fri, 26 May 2017, Fraser Tweedale wrote:
>> What is the validity of the leaf certificates?  Is the notAfter time
>> of the leaf certificate pegged to the notAfter time of the CA
>> certificate?  If so, this is (IMO) a bug.
> The leaf certs' expiration is pegged to that of the CA cert that was
> used to issue them -- the old one, in this case -- but that is expected
> behavior for any CA.  It wouldn't be semantically valid otherwise, and
> there's no guarantee that the CA cert will actually be renewed without
> changing the key.
> The odd behavior here is that certmonger woke up, noticed that every IPA
> cert including the externally-signed IPA CA needed to be renewed, and
> immediately caused the CA to renew them all.  The IPA CA cert itself
> yielded a log entry like this:
> May 25 00:25:21 dogtag-ipa-ca-renew-agent-submit[868]:
> Certificate with subject 'CN=Certificate Authority,O=EXAMPLE.COM' is
> about to expire, use ipa-cacert-manage to renew it
> The other 7 or so IPA-generated certificates (host, RA, OCSP, etc.) were
> renewed using the existing CA cert, with new validity periods tied to
> that cert.  As mentioned, certmonger would likely figure this out and
> renew them all again using the since-replaced CA cert within the ~2 week
> period until they all expire again, but this seems like unexpected
> behavior when the IPA CA cert is signed by an external CA and can't be
> auto-renewed.
> (Actually, based on the order the renewals were submitted, this seems
> like it'd be an issue even if the CA cert were automatically renewed --
> it wasn't the first one to be submitted, either.  Incidentally, the
> certs which were renewed aren't a complete list -- both the
> "CN=ipa-ca-agent" and "CN=Object Signing Cert" certs weren't renewed and
> aren't tracked by certmonger.)

certmonger doesn't have the context to know internal vs external. It
just knows a cert is expiring within its window so it renews it. IMHO
this is completely expected.

I believe that certmonger will renew it again as the final day approaches.

The object signing cert is deprecated and not used (it was used to sign
a JAR file to automatically configure Firefox). The ipa-ca-agent cert
isn't used either, it is an artifact of the dogtag install.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to