freeipa

Clone
Source Code
GIT

#3737 [RFE] Provide utility to change CA certificate
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

Create a root cert management utility that would do:

  • CA certificate renewal and change of the chaining in different scenarios (IPA with PKI, CA-less IPA)
  • Conversion from CA-less to CA full with chaining or stand alone (may be a separate script)

Provide scripts to run manually perform the CA certificate renewal on client/server machines (related discussion).

Related tickets: #3259, #3520

Reassigning to jcholast, as agreed with him.

Moving to current 3.4 month cycle.

3.4 development was shifted for one month, moving tickets to reflect reality better.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

This ticket is not complete yet, moving to next month milestone.

Ticket #3304 closed as a duplicate - it focused on a sub-case of this ticket.

As automatic deployment of CA certificates is delayed, see thread on freeipa-devel.

Updating the description.

Adding to list of tickets required for 4.0 release.

There is not enough time to review and test this feature properly for 4.0. Moving to 4.1.

master:

  • ee96533 Add function for checking if certificate is self-signed to ipalib.x509.
  • 3585702 Support CA certificate renewal in dogtag-ipa-ca-renew-agent.
  • 73d8db6 Allow IPA master hosts to update CA certificate in LDAP.
  • 9393c39 Automatically update CA certificate in LDAP on renewal.
  • 2f6990c Track CA certificate using dogtag-ipa-ca-renew-agent.
  • 9e18857 Add method for setting CA renewal master in LDAP to CAInstance.
  • 2109d66 Provide additional functions to ipapython.certmonger.
  • 2c43a3d Move external cert validation from ipa-server-install to installutils.
  • 031b281 Add method for verifying CA certificates to NSSDatabase.
  • 2870db7 Add permissions for CA certificate renewal.
  • ba3c7b4 Add CA certificate management tool ipa-cacert-manage.
  • 0310963 Alert user when externally signed CA is about to expire.
  • baa665f Load sysupgrade.state on demand.
  • d1386be Pick new CA renewal master when deleting a replica.
  • e16d262 Remove master ACIs when deleting a replica.
  • 7086183 Do not use ldapi in certificate renewal scripts.
  • 61159b7 Check that renewed certificates coming from LDAP are actually renewed.
  • 1778f0e Allow IPA master hosts to read and update IPA master information.
  • 52f72ec Do not treat the IPA RA cert as CA cert in DS NSS database.
  • a8a44c1 Remove certificate "External CA cert" from /etc/pki/nssdb on client uninstall.
  • 9d4eeed Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert.
  • d2bf0b8 Fix trust flags in HTTP and DS NSS databases.
  • 61f166d Add LDAP schema for wrapped cryptographic keys.
  • 25c10bc Add LDAP schema for certificate store.
  • 1c612ad Add container for certificate store.
  • fd80cc1 Configure attribute uniqueness for certificate store.
  • 586373c Add permissions for certificate store.
  • 4ae3f81 Add functions for extracting certificates fields in DER to ipalib.x509.
  • 239ef95 Add function for extracting extended key usage from certs to ipalib.x509.
  • de695e6 Add certificate store module ipalib.certstore.
  • 05212a1 Upload CA chain from DS NSS database to certificate store on server install.
  • 5f29a71 Upload CA chain from DS NSS database to certificate store on server update.
  • feecdb4 Rename CertDB method add_cert to import_cert.
  • 88706c5 Add new add_cert method for adding certificates to NSSDatabase and CertDB.
  • 82d682f Import CA certs from certificate store to DS NSS database on replica install.
  • 6f01499 Import CA certs from certificate store to HTTP NSS database on server install.
  • 9e223e6 Upload renewed CA cert to certificate store on renewal.
  • 29f42cb Refactor CA certificate fetching code in ipa-client-install.
  • fd40058 Support multiple CA certificates in /etc/ipa/ca.crt in ipa-client-install.
  • 6870eb9 Add function for writing list of certificates to a PEM file to ipalib.x509.
  • 459d6cf Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install.
  • eaebefe Allow overriding NSS database path in RPCClient.
  • b5471a9 Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install.
  • 24932b2 Add functions for DER encoding certificate extensions to ipalib.x509.
  • 55d3bab Get CA certs for system-wide store from cert store in ipa-client-install.
  • 2b7a7c3 Get up-to-date CA certificates from certificate store in ipa-replica-install.
  • 60e19b5 Add client certificate update tool ipa-certupdate.
  • f1e186d Export full CA chain to /etc/ipa/ca.crt in ipa-server-install.
  • 987bf3f Allow multiple CA certificates in replica info files.
  • f39c6ee Add new NSSDatabase method get_cert for getting certs from NSS databases.
  • 18aa321 Allow changing chaining of the IPA CA certificate in ipa-cacert-manage.
  • 1b8a1e5 Update CS.cfg on IPA CA certificate chaining change in renew_ca_cert.
  • 8bbdfff Allow adding CA certificates to certificate store in ipa-cacert-manage.
  • d27e77a Allow upgrading CA-less to CA-full using ipa-ca-install.
  • 03b29b4 Update external CA cert in Dogtag NSS DB on IPA CA cert renewal.
  • 044c5c8 Enable NSS PKIX certificate path discovery and validation for Dogtag.

ipa-4-1:

  • ee96533 Add function for checking if certificate is self-signed to ipalib.x509.
  • 3585702 Support CA certificate renewal in dogtag-ipa-ca-renew-agent.
  • 73d8db6 Allow IPA master hosts to update CA certificate in LDAP.
  • 9393c39 Automatically update CA certificate in LDAP on renewal.
  • 2f6990c Track CA certificate using dogtag-ipa-ca-renew-agent.
  • 9e18857 Add method for setting CA renewal master in LDAP to CAInstance.
  • 2109d66 Provide additional functions to ipapython.certmonger.
  • 2c43a3d Move external cert validation from ipa-server-install to installutils.
  • 031b281 Add method for verifying CA certificates to NSSDatabase.
  • 2870db7 Add permissions for CA certificate renewal.
  • ba3c7b4 Add CA certificate management tool ipa-cacert-manage.
  • 0310963 Alert user when externally signed CA is about to expire.
  • baa665f Load sysupgrade.state on demand.
  • d1386be Pick new CA renewal master when deleting a replica.
  • e16d262 Remove master ACIs when deleting a replica.
  • 7086183 Do not use ldapi in certificate renewal scripts.
  • 61159b7 Check that renewed certificates coming from LDAP are actually renewed.
  • 1778f0e Allow IPA master hosts to read and update IPA master information.
  • 52f72ec Do not treat the IPA RA cert as CA cert in DS NSS database.
  • a8a44c1 Remove certificate "External CA cert" from /etc/pki/nssdb on client uninstall.
  • 9d4eeed Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert.
  • d2bf0b8 Fix trust flags in HTTP and DS NSS databases.
  • 61f166d Add LDAP schema for wrapped cryptographic keys.
  • 25c10bc Add LDAP schema for certificate store.
  • 1c612ad Add container for certificate store.
  • fd80cc1 Configure attribute uniqueness for certificate store.
  • 586373c Add permissions for certificate store.
  • 4ae3f81 Add functions for extracting certificates fields in DER to ipalib.x509.
  • 239ef95 Add function for extracting extended key usage from certs to ipalib.x509.
  • de695e6 Add certificate store module ipalib.certstore.
  • 05212a1 Upload CA chain from DS NSS database to certificate store on server install.
  • 5f29a71 Upload CA chain from DS NSS database to certificate store on server update.
  • feecdb4 Rename CertDB method add_cert to import_cert.
  • 88706c5 Add new add_cert method for adding certificates to NSSDatabase and CertDB.
  • 82d682f Import CA certs from certificate store to DS NSS database on replica install.
  • 6f01499 Import CA certs from certificate store to HTTP NSS database on server install.
  • 9e223e6 Upload renewed CA cert to certificate store on renewal.
  • 29f42cb Refactor CA certificate fetching code in ipa-client-install.
  • fd40058 Support multiple CA certificates in /etc/ipa/ca.crt in ipa-client-install.
  • 6870eb9 Add function for writing list of certificates to a PEM file to ipalib.x509.
  • 459d6cf Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install.
  • eaebefe Allow overriding NSS database path in RPCClient.
  • b5471a9 Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install.
  • 24932b2 Add functions for DER encoding certificate extensions to ipalib.x509.
  • 55d3bab Get CA certs for system-wide store from cert store in ipa-client-install.
  • 2b7a7c3 Get up-to-date CA certificates from certificate store in ipa-replica-install.
  • 60e19b5 Add client certificate update tool ipa-certupdate.
  • f1e186d Export full CA chain to /etc/ipa/ca.crt in ipa-server-install.
  • 987bf3f Allow multiple CA certificates in replica info files.
  • f39c6ee Add new NSSDatabase method get_cert for getting certs from NSS databases.
  • 18aa321 Allow changing chaining of the IPA CA certificate in ipa-cacert-manage.
  • 1b8a1e5 Update CS.cfg on IPA CA certificate chaining change in renew_ca_cert.
  • 8bbdfff Allow adding CA certificates to certificate store in ipa-cacert-manage.
  • d27e77a Allow upgrading CA-less to CA-full using ipa-ca-install.
  • 03b29b4 Update external CA cert in Dogtag NSS DB on IPA CA cert renewal.
  • 044c5c8 Enable NSS PKIX certificate path discovery and validation for Dogtag.

Metadata Update from @mkosek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1
6 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
enhancement
None
None
Certificate management
None
1
None
None
rcritten@redhat.com
None
https://bugzilla.redhat.com/show_bug.cgi?id=886645
None
Introduce a CA certificate update tool allowing to renew FreeIPA root CA certificate and to update it while preserving the key and subject name was added. The tool can be also used in a case when CA certificate chaining is changed or when an external CA certificate expires and needs to be changed.
http://www.freeipa.org/page/V4/CA_certificate_renewal http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.