One of the work items we have is being able to store the CA's certificate to a database when we store the certificate that it issued to us. Caching the issuer certificate when we can obtain it over an authenticated path is a necessary step in being able to do that.
It looks like we'll want to try to check the state of the issuer certificates at daemon startup and periodically while the certificates are still valid, similar to how we monitor our own.
We'll need a refresh-ca option for getcert to force an immediate poll, similar to its resubmit option.
Metadata Update from @nalin:
- Issue set to the milestone: 0.76
@nalin @rcritten Would this work with IPA's sub CA's? Currently when using them, there is not a trivial way to get the subCA's certificate.
I would have expected the getcert request's -F option, which retrieves the CA, to get the subCA's cert (probably in the form of a chain).
This currently makes it somewhat problematic and hacky for us to use subCA's in OpenStack.
to comment on this ticket.