#3074 [RFE] Add CRL and OCSP CNAME to certificate profile
Closed: Fixed None Opened 6 years ago by nkinder.

This is related to https://fedorahosted.org/freeipa/ticket/1431

We should update our certificate profile to add the CRL and OCSP CNAME as an additional URL to the current URL (which uses the actual IPA server hostname). The CNAME URL should be listed before the server hostname URL.

This change can (and should) before before ticket 1431 is addressed.


I think we should do it in 3.1 Stabilization right away.
Kicking back to NEEDS TRIAGE.

Changes required have been placed into https://fedorahosted.org/pki/ticket/358

One thing that I noticed was that the crldp extension is not currenty included in the certs IPA issues because the list of extensions to be included:

policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10

does not include policy 9 --> which is the extension for crldp. We can fix that in the ipa profile, but this will necessitate changes in the ipa installation code because that list is parsed by the install code. In particular, see cainstance.py ( def enable_subject_key_identifier(self):)

It would be bad form to include an OCSP server that doesn't exist. We may need to add an option to not configure this CNAME as we can't guarantee it will be added if we don't control DNS.

OCSP checking using ocspclnt is causing Apache to core dump, https://bugzilla.redhat.com/show_bug.cgi?id=878237

NSS can only support a single OCSP server in an AIA. The last one wins. There is an upstream bug against NSS on this now: https://bugzilla.mozilla.org/show_bug.cgi?id=797815

Replying to [comment:9 rcritten]:

NSS can only support a single OCSP server in an AIA. The last one wins. There is an upstream bug against NSS on this now: https://bugzilla.mozilla.org/show_bug.cgi?id=797815

This seems to be a Firefox bug not an NSS bug.

One of the NSS engineers, Kai Engert, confirmed that the call to obtain the OCSP responder, CERT_GetOCSPAuthorityInfoAccessLocation, only returns a single value.

I took ever the work on this ticket, assigning to myself.

After a discussion with vakwetu and rcritten we decided to not do any update to vanilla pki-ca certificate profile - i.e. dogtag ticket 358 was closed.

I will need to do all the code that configures the CRL/OCSP anyway, so we can use it in clean install too.

There is also one more change - we agreed with rcritten that the CNAME should have more general name and we chose ipa-ca.$DOMAIN.

Metadata Update from @nkinder:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.1 Stabilization

2 years ago

Login to comment on this ticket.

Metadata