#7991 Use profile-based renewal for system certificates
Closed: fixed 3 months ago by ftweedal. Opened 4 months ago by ftweedal.

Request for enhancement

There have been numerous customer cases concerning failures of, or incorrect renewal of Dogtag system certificates or IPA RA certificate. These certificates use serial-based renewal requests. The request refers to the serial number of the certificate to be renewed. The certificate record is looked up, and from there, the original request record. The details of that request are re-used to create a new certificate.

This has led to problems including:

  • Request failure because the original request record cannot be found. This may be due to data that was somehow deleted, or replication failures, or data corruption.
  • Request succeed, but the certificate details (e.g. Subject DN) are wrong. The wrong request was looked up. This could be due to conflicting replica request and/or serial ranges

We investigated whether the renewal procedure for these certificate can be changed to use regular enrolment requests instead of serial-based renewal requests, and concluded:

  • It is feasible.
  • Certmonger tracking requests must record the profile to use.
  • Exception: default profile (caServerCert) is used ('Server-Cert cert-pki-ca' and IPA RA)
  • For existing installs, ipa-server-upgrade must add the profile template to relevant tracking requests.
  • A small update to dogtag-ipa-ca-renew-agent Certmonger helper to instruct dogtag-ipa-renew-agent (part of Certmonger itself) to perform a new enrolment instead of renewal request.

The scenario was tested by upgrading the deployment to with the changes above, and add profile to relevant tracking requests. I deleted the old OCSP certificate record, then renewed it via getcert-resubmit. Renewal succeeded.

We have agreed to proceed with this effort. A bit more work and testing is needed, in particular:

  • Extend ipa-server-upgrade to add profiles to KRA cert tracking requests (when KRA is installed)
  • More testing.

master:

  • 3c388f5 dogtaginstance: add profile to tracking requests
  • f6f6f83 upgrade: add profile to Dogtag tracking requests
  • 858ef59 certmonger: use long options when invoking dogtag-ipa-renew-agent
  • 1fb6fda dogtag-ipa-ca-renew-agent: always use profile-based renewal
  • 588f1dd dogtaginstance: avoid special cases for Server-Cert
  • 4f4e2f9 upgrade: always add profile to tracking requests
  • 482866e upgrade: update KRA tracking requests
  • 2d22f56 upgrade: log missing/misconfigured tracking requests
  • fa56755 upgrade: fix spurious certmonger re-tracking
  • 1bf008a cainstance: add profile to IPA RA tracking request
  • bb779ba Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants
  • 65d9a9b ipatests: test ipa-server-upgrade in CA-less deployment
  • f5822e3 httpinstance: add pinfile when tracking certificate
  • b7ad115 (HEAD) dsinstance: add proflie when tracking certificate

ipa-4-8:

  • 2906449 dogtaginstance: add profile to tracking requests
  • 6fc44bd upgrade: add profile to Dogtag tracking requests
  • 34c51ea certmonger: use long options when invoking dogtag-ipa-renew-agent
  • ec5eb84 dogtag-ipa-ca-renew-agent: always use profile-based renewal
  • 19f1f10 dogtaginstance: avoid special cases for Server-Cert
  • 1f9d1ba upgrade: always add profile to tracking requests
  • 80895dd upgrade: update KRA tracking requests
  • f64c369 upgrade: log missing/misconfigured tracking requests
  • 5194bec upgrade: fix spurious certmonger re-tracking
  • 4758a4a cainstance: add profile to IPA RA tracking request
  • 27ea7db Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants
  • f8f8289 ipatests: test ipa-server-upgrade in CA-less deployment
  • 46792fb httpinstance: add pinfile when tracking certificate
  • 860b6f6 (HEAD) dsinstance: add proflie when tracking certificate

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 months ago

Login to comment on this ticket.

Metadata