The SSL heartbleed issue has underscored an issue that we have no way of handling presently. If the CA needs to be replaced for some reason, there is no way to do it. And since we only migrate users and groups, a LOT of data could be lost trying to switch to a fresh IPA installation.
Replacing the CA would be monumentally difficult, though with sssd working on being able to distribute CA certificates this may become possible.
I suspect that one can run pkidestroy to drop the existing CA, and carefully re-run pkispawn to add a replacement CA. This could probably be rather easily scripted using our existing tools (I think even with external CAs).
One would need to have a way to do the same on all other masters, replacing all IPA SSL server certs, and finally distributing this updated CA to all client machines.
This is planned to be investigated as a phase 2 of CA certificate management utility - #3737.
This will be complicated once we have a DRM installed as anything stored there will need to be re-wrapped.
Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.
Metadata Update from @rcritten: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.5 backlog
Related to https://pagure.io/freeipa/issue/7281
Metadata Update from @mkosek: - Issue close_status updated to: None
Login to comment on this ticket.