freeipa

Clone
Source Code
GIT

#6019 Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install`
Closed: Fixed None Opened 7 years ago by jcholast.

Closed: Fixed
Reopen Issue

After installing a replica, only the main CA cert is tracked by certmonger:

# getcert list | grep 'certificate:.*caSigningCert'
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'

One has to run ipa-certupdate for lightweight sub-CA certs to be tracked by certmonger as well:

# getcert list | grep 'certificate:.*caSigningCert'
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB'

Fix ipa-replica-install to do this automatically.

This could be quite tricky... Dogtag LWCA key replication happens in
the background, and we would have to wait for keys to be replciated and
added to NSSDB before tracking them. Still, a "best effort" approach
would be better than nothing, and perhaps reporting which CAs, if any,
were not successfully tracked due to key being unavailable at replica-install
time.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1356101

master:

  • 08b7683 Track lightweight CAs on replica installation

ipa-4-4:

  • 99b0db0 Track lightweight CAs on replica installation

Metadata Update from @jcholast:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.4.1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
None
None
defect
None
None
IPA
None
1
None
None
mbabinsk
None
https://bugzilla.redhat.com/show_bug.cgi?id=1356101
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.