Re: [Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

On 05/09/2016 09:35 AM, Jan Cholasta wrote: > Hi, > > On 6.5.2016 08:01, Fraser Tweedale wrote: >> Hullo all, >> >> FreeIPA Lightweight CAs implementation is progressing well. The >> remaining big unknown in the design is how to do renewal. I have >> put my ideas into the design page[1] and would appreciate any and >> all feedback! >> >> [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal >> >> Some brief commentary on the options: >> >> I intend to implement approach (1) as a baseline. Apart from >> implementing machinery in Dogtag to actually perform the renewal - >> which is required for all the approaches - it's not much work and >> gets us over the "lightweight CAs can be renewed easily" line, even >> if it is a manual process. >> >> For automatic renewal, I am leaning towards approach (2). Dogtag >> owns the lightweight CAs so I think it makes sense to give Dogtag >> the ability to renew them automatically (if configured to do so), >> without relying on external tools i.e. Certmonger. But as you will >> see from the outlines, each approach has its upside and downside. > > I would prefer (3), as I would very much like to avoid duplicating > certmonger's functionality in Dogtag. > > Some comments on the disadvantages: > > * "Proliferation of Certmonger tracking requests; one for each > FreeIPA-managed lightweight CA." > > I don't think this is an actual issue, as it's purely cosmetic. > > * "Either lightweight CA creation is restricted to the renewal master, > or the renewal master must observe the creation of new lightweight CAs > and start tracking their certificate." > > IMO this doesn't have to be done automatically in the initial > implementation. You could extend ipa-certupdate to set up certmonger for > lightweight CAs and have admins run it manually on masters after adding > a new lightweight CA. They will have to run it anyway to get the new > lightweight CA certificate installed in the system, so it should be fine > to do it this way. I'm afraid that it can lead to errors where admins would distribute the cert by other means and as a result this command would not be run on renewal master even though it is easier. But it is still better than #1 without auto-renewal mechanism.

> > * "Development of new Certmonger renewal helpers solely for > lightweight CA renewal." > > It would be easier to extend the existing helpers. I don't think > there is anything preventing them from being used for lighweight CAs, > except not conveying the CA name, which should be easy to implement. > > > I would also avoid starting with (1), I don't believe it adds any real > value. IMHO the first thing that should be done is implement lightweight > CA support in certmonger (add new 'request' / 'start-tracking' option > for CA name, store it in tracking requests, pass it to CA helpers in a > new environment variable). > > > Honza >