#9611 Expose IPA ca crt and CRL for public consumption (AAA project)
Closed: Fixed 3 years ago by arrfab. Opened 3 years ago by arrfab.

For services using TLS authentication and with certificates being signed by Dogtag in IPA (prod and staging), it would be needed to expose the CRL (used to checked for revoked certificates) and also the CA cert itself (for people retrieving it)

The CA is automatically available on any enrolled node in IPA, but for contributors on laptops (non enrolled) there will be probably a need to have it available (see other discussion about OTP that would require a FAST kerberos cache, relying itself on connection using main CA)

So it would be nice to have (through haproxy) a link to both ca and CRL

Worth knowing that by default, every generated/signed certificate on IPA (prod) uses this WRT CRL :

URI:http://ipa-ca.fedoraproject.org/ipa/crl/MasterCRL.bin 

For the CA, it's internally available over /ipa/config/ca.crt but we can probably use something like https://id.fedoraproject.org/ca.crt (or something like that, as long as we publish that url)

Is that possible to have proxy rules to retrieve these public ca.crt and crl (worth knowing that @mobrien is already looking at why MasterCRL.bin doesn't seem to be available even internally)


I have added a security review on this as I was not part of the IPA bring-up and I do not remember if this was not done as a mitigation for some other item. If it was not , the security officer or other can just remove security from the tag.

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: authentication, medium-gain, medium-trouble, ops, security

3 years ago

This is the automatic URL included by dogtag/IPA, I did not configure that part when we set up IPA.
Changing this should be a change of the IPA extensions configuration, and is fine to do.
When you do so, please ensure it uses https as the URL.

I would suggest something like https://id.fp.o/ipa_ca.crt or https://admin.fedoraproject.org/accounts/ipa_ca.crt (and probably also .pem after converting it), to ensure it's clear that the certificate is actually the IPA CA, and not one of the keys used by Ipsilon for e.g. SAML.

Metadata Update from @puiterwijk:
- Issue untagged with: security

3 years ago

+1 for both id.fedoraproject.org/ipa_ca.crt and/or admin.fpo/accounts/ipa_ca.crt .. as long as we have it somewhere.

For CRL, there is a way to indeed change the URL in generated cert (documented in doc) but for me it doesn't matter, as long as it's also available somewhere (our koji setup - for cbs.centos.org that is) would still rely on TLS auth, so using a crl would be appreciated.
That's what we used with FAS/ACO : the generated crl was then reloaded into httpd on regular basis (https://accounts.centos.org/ca/crl.pem)

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

just reopening, but nothing really urgent (but found out when testing STG) : is that possible to also expose the one from STG through url variant ? so https://id.stg.fedoraproject.org/ipa/crl/MasterCRL.bin ?

Metadata Update from @arrfab:
- Issue status updated to: Open (was: Closed)

3 years ago

NVM, it is already available for STG too. Closing

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Done