If the CA certificate is signed by an external CA, certmonger might not be able to automatically update it. In fact, this is likely to require a financial transaction. The CA should send an email to a preconfigured account prior to expiration. If the CA cert expires, it will be very painful for an IPA based system, as all of the client machines certificates will be invalid. hey need to be notified of the new CA cert early enough to avoid triggering invalidation , and to keep their certifactes valid for the currently stated lifespan.
It would be great if dogtag would provide this capability natively.
If not I think we'll need to do this as a cron job. How we handle upgrades with this is also something that will require some thought.
IPA does not currently configure an MTA so it is unclear who this e-mail would be delivered to.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=782968
This should be handled as a part of the larger effort of IPA subsystem certificate renewal. That work is covered by the following ticket:
https://fedorahosted.org/freeipa/ticket/2803
Closing this as a duplicate.
This is not a dup. Reopening. This is for the case when we are dealing with the external cert that we can't renew. We can only warn about.
Related to ticket #3687.
Bumping priority. There was another request (Bug 974476) for this feature.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=974476 (Fedora)
Metadata Update from @admiyo: - Issue assigned to rcritten - Issue set to the milestone: Ticket Backlog
Notification will be handled as part of the Healthcheck tool, https://pagure.io/freeipa/issue/7391
Closing as duplicate.
Metadata Update from @rcritten: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.