Hullo all,
FreeIPA Lightweight CAs implementation is progressing well. The
remaining big unknown in the design is how to do renewal. I have
put my ideas into the design page[1] and would appreciate any and
all feedback!
[1]
http://www.freeipa.org/page/V4/Sub-CAs#Renewal
Some brief commentary on the options:
I intend to implement approach (1) as a baseline. Apart from
implementing machinery in Dogtag to actually perform the renewal -
which is required for all the approaches - it's not much work and
gets us over the "lightweight CAs can be renewed easily" line, even
if it is a manual process.
For automatic renewal, I am leaning towards approach (2). Dogtag
owns the lightweight CAs so I think it makes sense to give Dogtag
the ability to renew them automatically (if configured to do so),
without relying on external tools i.e. Certmonger. But as you will
see from the outlines, each approach has its upside and downside.
Cheers,
Fraser