Hi folks
I make use of certmonger's key_use_count to ensure that I don't use the
same private key more than once when issuing service certificates. I was
wondering what would happen if this was set on a FreeIPA server. Having
done a bit of reading I think this looks like a Very Bad Idea, but I was
wondering if someone could confirm the following:
1. It's fine to rekey the KDC/dirsrv/httpd service certificates -
there's nothing particularly special about them.
2. The Dogtag-related certificates are renewed on the CA renewal master,
and stashed into the directory in entries under
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX so that the other servers can
retrieve them; but the private keys aren't stashed in the directory, so
transporting the new keys to the other servers would be a manual process.
3. One of these certificates is the CA certificate which you would never
want to re-key because that would cause absolute mayhem.
4. There's no way to have certmonger re-key the service certificates
(from the "IPA" CA) when renewing, but not the system certificates (from
the "dogtag-ipa-ca-renew-agent" CA); so setting key_use_count is a
really bad idea, never do it on a FreeIPA server.
Cheers,
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
