FreeIPA Lightweight CAs implementation is progressing well. The
remaining big unknown in the design is how to do renewal. I have
put my ideas into the design page and would appreciate any and
Some brief commentary on the options:
I intend to implement approach (1) as a baseline. Apart from
implementing machinery in Dogtag to actually perform the renewal -
which is required for all the approaches - it's not much work and
gets us over the "lightweight CAs can be renewed easily" line, even
if it is a manual process.
For automatic renewal, I am leaning towards approach (2). Dogtag
owns the lightweight CAs so I think it makes sense to give Dogtag
the ability to renew them automatically (if configured to do so),
without relying on external tools i.e. Certmonger. But as you will
see from the outlines, each approach has its upside and downside.
Attached patches implement LWCA renewal support
It includes REST API
But not implemented in CLI tool yet. If we decide to make it a
first-class CLI feature (cf certmonger, IPA, etc managing the
renewal) then I'll file the ticket and implement it at that time.
The TPSSubsystem has been modified to load and validate the token
state transition lists during initialization. If any of the lists
is empty or any of the transitions is invalid, the initialization
will fail and the subsystem will not start.
Endi S. Dewata
The TPS VLV indexes have been fixed to use the correct vlvScope
(i.e. one level). The unsupported minus sign in vlvSort and the
redundant vlvEnabled have been removed.
Endi S. Dewata
I had some time during layovers/flights and threw a couple of ideas
together about how to handle the DB changes we have to perform for fine
grained authz and sub CAs, and other future changes ..
Please take a look and comment.