On 7.10.2013 17:30, Martin Kosek wrote:
On 10/04/2013 12:01 PM, Jan Cholasta wrote:
Hi,
you can find a draft of the design document for this feature at
<http://www.freeipa.org/page/V3/CA_certificate_renewal>.
Comments are welcome.
Honza
1) Shared certificate store
Shouldn't we name the container as cn=cacerts,cn=ipa,cn=etc,suffix? It seems
that current design would allow storing certificates not only for IPA CA, but
also custom servers managed by IPA.
The store is basically a NSS database in LDAP, so theoretically you
could store any cert in there, but IPA will understand only CA
certificates (at least for now).
2) Distributing CA certificates to clients
So /etc/ipa/ca.crt would contain multiple certificates, even the whole
certificate chains? Will that fly for example when doing ldapsearch -ZZZ + have
TLS_CACERT pointing to /etc/ipa/ca.crt?
libldap understands CA PEM bundles, so this will fly.
3) Implementation
I am not confident about the cron part. If you have 1000 client machines,
asking every hour for an update, that could create a lot of traffic. Maybe some
certmonger-like heuristics would be in place? Like test each week under normal
circumstances, test each day when a cert in /etc/ipa/ca.crt is about to expire.
I am also thinking how to randomize the cron schedule so that every client does
not run the check in the same moment - to split the load.
The script is run hourly for sufficiently small time granularity, but
that doesn't mean it will contact the server every time it is run. Some
heuristics and randomization will definitely be in place.
Martin
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
