[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

Wed, 11 Mar 2020 05:59:10 -0700 

On ke, 11 maalis 2020, Rob Crittenden wrote:

Alexander Bokovoy wrote:

On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:

Makes me look at this a different way. Perhaps change the certstore to
only return valid CA certs. That way they are stored if anyone ever
wants them but they won't get pulled down for ipa-certupdate or
ipaclilent-install.

Or to try the ipa-cacert-manage route, it was mostly the UI part for why
I didn't do it. I wasn't sure if the best way would be to interactively
show each cert and do a delete Y/N or what. Perhaps a delete with
--expired-only to do the cleanup. I'm open to suggestions.

rob



I think it's fine to change ipa-certupdate so it skips expired /
not-yet-valid certs.

IMO we should never automatically prune expired certs from the LDAP
trust store, so that if customer needs to do time travel to fix an
issue, the old CA certs will still be there and an ipa-certupdate
will "restore" them to the various certificate DBs.

And for the same reason, I'd be hesitant to offer a UI to prune
expired certs from the trust store.


I agree. So, we still need a ticket for ipa-certupdate to gain an
explicit option to ignore expired certs.




IMHO it should be the default for certstore.get_ca_certs(). I opened
https://pagure.io/freeipa/issue/8223

I don't know of a case where we would want to fetch non-valid CA
certificates, please update the ticket if you know of any.


Valid from which point of view? A system we run on? E.g. based on the
local time setup?

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to