Issue #7160: Track HTTP/DS cert if issued by IPA lightweight CA? - freeipa

freeipa

#7160 Track HTTP/DS cert if issued by IPA lightweight CA?

Opened 6 years ago by ftweedal. Modified 6 years ago

In https://pagure.io/freeipa/issue/7141 we now only track HTTP/DS service certificate
if it was issued by the IPA CA.

The default behaviour is to issue these certificates from the IPA CA. So the current implementation
handles the default situation properly.

But if the certificate is issued by a sub-CA of the IPA CA (or other CA controlled by FreeIPA),
we do not track it. Should we?

Let us discuss.

frenaud commented 6 years ago

I also think that we should track server certs issued by sub-CAs. This would affect
- the upgrade code (if server certs are issued by subCAs then they should also be tracked)
- the tool ipa-server-certinstall (used to replace HTTP and LDAP certificates), which currently does not track certificates if they are issued by sub-CAs

Edited 6 years ago by frenaud

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#7160 Track HTTP/DS cert if issued by IPA lightweight CA? Opened 6 years ago by ftweedal. Modified 6 years ago

Close issue as:

Metadata

#7160 Track HTTP/DS cert if issued by IPA lightweight CA?

Opened 6 years ago by ftweedal. Modified 6 years ago