#7160 Track HTTP/DS cert if issued by IPA lightweight CA?
Opened 2 years ago by ftweedal. Modified 2 years ago

In https://pagure.io/freeipa/issue/7141 we now only track HTTP/DS service certificate
if it was issued by the IPA CA.

The default behaviour is to issue these certificates from the IPA CA. So the current implementation
handles the default situation properly.

But if the certificate is issued by a sub-CA of the IPA CA (or other CA controlled by FreeIPA),
we do not track it. Should we?

Let us discuss.

I also think that we should track server certs issued by sub-CAs. This would affect
- the upgrade code (if server certs are issued by subCAs then they should also be tracked)
- the tool ipa-server-certinstall (used to replace HTTP and LDAP certificates), which currently does not track certificates if they are issued by sub-CAs

Login to comment on this ticket.