Hullo all, FreeIPA Lightweight CAs implementation is progressing well. The remaining big unknown in the design is how to do renewal. I have put my ideas into the design page[1] and would appreciate any and all feedback!
[1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal Some brief commentary on the options: I intend to implement approach (1) as a baseline. Apart from implementing machinery in Dogtag to actually perform the renewal - which is required for all the approaches - it's not much work and gets us over the "lightweight CAs can be renewed easily" line, even if it is a manual process. For automatic renewal, I am leaning towards approach (2). Dogtag owns the lightweight CAs so I think it makes sense to give Dogtag the ability to renew them automatically (if configured to do so), without relying on external tools i.e. Certmonger. But as you will see from the outlines, each approach has its upside and downside. Cheers, Fraser _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel