[Freeipa-users] Re: Removal & clean up certificates from o=ipaca

2018-11-09 Thread David Goudet via FreeIPA-users 
Hello,

I did request and certificate suppression test and restart IPA stack. It works!

ldapdelete -x -D "cn=directory manager" -W  "cn=87289,ou=ca,ou=requests,o=ipaca"
ldapdelete -x -D "cn=directory manager" -W  
"cn=87273,ou=certificateRepository,ou=ca,o=ipaca"

I am going to generate the list of request and certificate entries that are 
useless.

Hereafter a little procedure:

(cn (in ou=certificateRepository,ou=ca,o=ipaca) is equal to serialId decimal in 
x509 certificate)

Backup IPA and save the ipaca tree (sudo ldapsearch -x -h localhost -D 
"cn=directory manager" -W -b o=ipaca > /var/lib/ipa/backup/all)

Certificate tree purge (ou=certificateRepository,ou=ca,o=ipaca):
1. Identify entry that have to be excluded (non garbage certificate: used & 
expired certificates)
 - Get serial ID of certificate used: sudo openssl x509 -in xxx.crt -text 
-noout | grep "Seria\|Not\|Sub"
2. Get garbage certificate list (used & expired certificates are excluded): 
ldapsearch -x -D "cn=directory manager" -W -b 
"ou=certificateRepository,ou=ca,o=ipaca" '(&(subjectName~=)(!(cn=))(certStatus=VALID))' dn | grep "cn=" | sed -e "s/dn: 
//" -e "/\#/d" > cert_

Request tree purge (ou=ca,ou=requests,o=ipaca):
1.  Identify entry that have to be excluded (non garbage certificate: used & 
expired certificates)
 - Get requestID of certificate used: sudo ldapsearch -x -D "cn=directory 
manager" -W -b "cn=,ou=certificateRepository,ou=ca,o=ipaca" '(subjectName~=)'  
"metaInfo"
 - Get requestID of certificate expired: sudo ldapsearch -x -D "cn=directory 
manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" 
'(&(subjectName~=)(!(certStatus=VALID)))' "metaInfo"
2. Get garbage certificate request list (used & expired certificates are 
excluded):  sudo ldapsearch -x -D "cn=directory manager" -W  -b 
"ou=ca,ou=requests,o=ipaca" 
'(&(extdata-req--005fsubject--005fname--002ecn=)(&(!(cn=))(!(cn=' dn | 
grep "cn=" | sed -e "s/dn: //" -e "/\#/d" > req_

Check that number of request and certificate entry to purge are equal:
grep -c cn= cert_
grep -c cn= req_


(I hope this will help)

Thank you for your response,


- Original Message -----
From: "Fraser Tweedale" 
To: "freeipa-users" 
Cc: "David Goudet" 
Sent: Thursday, November 8, 2018 2:28:03 AM
Subject: Re: [Freeipa-users] Removal & clean up certificates from o=ipaca

On Wed, Nov 07, 2018 at 04:29:36PM +0100, David Goudet via FreeIPA-users wrote:
> Hello all,
> 
Hi David,

> I have to clean up lot of useless certificate in dirsrv database.
> Because of resubmit loop on Certmonger client, i have 99,9% of certificate in 
> dirsrv database that are useless and not obsolete (expiration in 2020) (it 
> represent ~85 000 certificates).
> 
Did you already resolve the Certmonger resubmit loop?

> These useless certificates produce some issues on FreeIPA:
>  - decrease FreeIPA performances on CLI and GUI
>  - increase the LDAP size
>  - increase size and time of FreeIPA backup
> ...
> 
> Is it possible to purge these certificates in dirsrv database and how? 
> 
Yes.  You can remove them manually.

> I found two branches in LDAP directory about these certificates:
>
> dn: cn=xxx,ou=ca,ou=requests,o=ipaca
> dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca
> 
The certificateRepository contains the issued certificates, the
ou=ca,ou=requests contains data about the certificate requests.
Each certificateRepository entry contains a reference to the request
that produced it.

You'll have to manually work out which certs you don't want, delete
its certificateRepository entry (cn is the serial number), and
delete the corresponding request entry.

> I can remove all requests and certificates entry from dirsrv
> database but how it is supported by PKI manager Dogtag (CRL,
> certificate generation, OCSP)?
> 
CRLs and OCSP responses are generated using the data from the
certificateRepository.  Forgetting about non-expired certificates is
not valid under X.509, but since you have an operational issue, just
choose carefully which ones you keep and which ones you delete.

Don't delete the entry for any certificates in active use, OR any
non-expired but revoked certificate where you want it to appear in
CRLs or want valid OCSP responses for that certificate.

Also, whatever certificate has the highest serial number, do not
delete it.  When using sequential serial number (which is how Dogtag
gets configured by FreeIPA) upon startup Dogtag looks for the
highest serial number to work out what is the next serial number to
use.  So keep the cert with the highest serial number otherwise
serial numbers will be re-used.

Cheers,
Fraser
-- 
Davi

[Freeipa-users] Removal & clean up certificates from o=ipaca

2018-11-07 Thread David Goudet via FreeIPA-users 
Hello all,

I have to clean up lot of useless certificate in dirsrv database.
Because of resubmit loop on Certmonger client, i have 99,9% of certificate in 
dirsrv database that are useless and not obsolete (expiration in 2020) (it 
represent ~85 000 certificates).

These useless certificates produce some issues on FreeIPA:
 - decrease FreeIPA performances on CLI and GUI
 - increase the LDAP size
 - increase size and time of FreeIPA backup
...

Is it possible to purge these certificates in dirsrv database and how? 

I found two branches in LDAP directory about these certificates:
dn: cn=xxx,ou=ca,ou=requests,o=ipaca
dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca

I can remove all requests and certificates entry from dirsrv database but how 
it is supported by PKI manager Dogtag (CRL, certificate generation, OCSP)?

(This topic has already been discuss on 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/RPF5XY3SXFIJFZG4FXLBZTXOQHWTDK4D/)

Thank you for you help

-- 
David GOUDET 

LYRA NETWORK 
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)

2017-07-07 Thread David Goudet via FreeIPA-users 
Hi,

I am using FreeIPAv4, some of clients products does not support LDAP failover 
so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream 
fail-over.
I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA 
service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.

Everything works as excepted except TLS certificate verification on client 
side: required Hostname from client is ldapha.xxx, stream is load balanced by 
KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not 
include ldapha.xxx => TLS handshake failed.

nssdb certificate request:
 Request ID 'yyy':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS 
Certificate DB'
CA: IPA
issuer: 
subject: CN=ds02.
expires: 2019-03-24 13:33:31 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
track: yes
auto-renew: yes

ipa-getcert resubmit -i yyy -D ds02. -D ldapha.xxx

Add new SAN in default LDAP certificate in nssdb is possible with command above 
but is it recommended/supported? When FreeIPA software will be updated is this 
SAN configuration will be persistent?
What is the best/recommended solution to cover this need?

Thank you for your help

-- 
David GOUDET 

LYRA NETWORK 
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org