This is a request for a tool that helps debugging certificate related issues.
Often we see cases where certificates are not updated in all the places (NSSDB and LDAP stores) which results in an inconsistency. I also find it painful that different certificates are stored under the same nickname within NSSDB (same cert subject with same key but renewed cert). The statement is, that NSS code always picks the certificate that matches best. In some troubleshooting scenarios it's not always clear though what best match actually means. For instance, think of scenarios where the system clock has been put back in time. What is the benefit of keeping all the certificates of a subject within the NSSDB store instead of just the latest one? I understand that NSS code is working this way, I just don't see the benefit.
For a first touch analysis, I think a tool which detects inconsistencies between NSSDB and LDAP store would already help a lot of people. To make it even more convenient, the tool could tell which certificate is the right one to use (based on various metrics, like expiration date and CA verification path).
Some more ideas what the tool should do:
userCertificate, description, and any other relevant attributes used for authenticating ipara or Dogtag subsystem user entries. Sometimes the certs are valid but these entries have not been properly updated for some reason, causing failures.
state of tracking requests e.g. is certmonger tracking all the right certs, does the tracking request still have the correct configuration, access to the private key, etc.
verify that all certs are in sync between NSSDBs and LDAP
Metadata Update from @tscherf: - Issue assigned to someone - Issue set to the milestone: Future Releases
The tool ipa-healthcheck now provides many cert-related checks, for more information refer to https://github.com/freeipa/freeipa-healthcheck/blob/master/README.md#understanding-the-results Closing as fixed
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.