#3259 [RFE] Allow publishing more than one root CA certs
Closed: Fixed None Opened 11 years ago by dpal.

Ticket #2930 will put CA cert into the LDAP. However for CA cert expiration case and related CA key rotation every once in a while we need to have a way to publish more than one root CA cert for clients to fetch. The client side should detect that a new cert is published and pull it so that the CA cert can be rotated without client downtime.

A corresponding ticket needs to be opened against SSSD or certmonger to do the client side polling. Right now we pull it just once during the ipa-client-install.

There was another RFE that would call for a generic mechanism to pass some policies from server to client but I could not find it in either SSSD or IPA trac.


Reassigning to jcholast, as agreed with him.

Moving to current 3.4 month cycle.

3.4 development was shifted for one month, moving tickets to reflect reality better.

Related is that things that pull the CA certificate need to pull all values. ipa-client-install does not appear to do this, in EL 5 in any case.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Adding to list of tickets required for 4.0 release.

There is not enough time to review and test this feature properly for 4.0. Moving to 4.1.

Closed with #3737, see there for the commit list.

master:

  • 231f57c Introduce NSS database /etc/ipa/nssdb
  • 86c534d Move NSSDatabase from ipaserver.certs to ipapython.certdb
  • b764e9d Add NSSDatabase.has_nickname for checking nickname presence in a NSS DB
  • bbf9622 Use NSSDatabase instead of direct certutil calls in client code
  • f40a0ad Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb
  • 9ab402c Check if IPA client is configured in ipa-certupdate
  • 4e68046 Get server hostname from jsonrpc_uri in ipa-certupdate
  • 734afdf Remove ipa-ca.crt from systemwide CA store on client uninstall and cert update
  • 05e6626 Fix certmonger.wait_for_request
  • da24d8a Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage

ipa-4-1:

  • ed2bfff Introduce NSS database /etc/ipa/nssdb
  • 017d61d Move NSSDatabase from ipaserver.certs to ipapython.certdb
  • e7b7492 Add NSSDatabase.has_nickname for checking nickname presence in a NSS DB
  • 9c07228 Use NSSDatabase instead of direct certutil calls in client code
  • 483ebf9 Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb
  • 511dc3a Check if IPA client is configured in ipa-certupdate
  • 6ab1f6c Get server hostname from jsonrpc_uri in ipa-certupdate
  • 9666212 Remove ipa-ca.crt from systemwide CA store on client uninstall and cert update
  • 7da4873 Fix certmonger.wait_for_request
  • d04fa16 Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage

Metadata Update from @dpal:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1

7 years ago

Login to comment on this ticket.

Metadata