dogtagpki

Clone
Source Code
GIT

#2454 [RFE] - Reducing the number of OCSP and audit signing certificates
Closed: migrated 3 years ago by dmoluguw. Opened 7 years ago by edewata.

Closed: migrated
Reopen Issue

Currently the CA and OCSP subsystems have their own OCSP signing certificates. Also, all PKI subsystem have their own audit signing certificates. So potentially there are seven different OCSP and audit signing certificates in the whole system. Each certificate has a unique nickname defined in /etc/pki/default.cfg:

[CA]
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA

[KRA]
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA

[OCSP]
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP

[TKS]
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS

[TPS]
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS

While all of these certificates might be required in large deployments, it might be excessive in smaller deployments. For basic installations the admin might prefer to reuse the same OCSP and audit signing certificates for the whole system for simplicity. Also, OCSP load balancing probably requires reusing the same certificate in all OCSP instances as well.

In ticket #2280 there's already a plan to provide a mechanism to reuse existing system certificates if they already exist. Once that mechanism is implemented, the default.cfg can be changed to use the same nicknames for all subsystems:

[CA]
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s

[KRA]
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s

[OCSP]
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s

[TKS]
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s

[TPS]
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s

With this mechanism by default it will reuse the same OCSP and audit signing certificates, but the admin will still have the flexibility to use different certificates for each subsystem if needed.

Per PKI Bug Council of 09/14/2016: 10.4 -- [RFE]

Metadata Update from @edewata:
- Issue set to the milestone: UNTRIAGED
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2574

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
major
None
None
None
enhancement
None
None
None
None
None
Community
major
None
None
None
None
None
Installation/Configuration
10.4
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.