diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-07-11 15:51:01 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-07-30 13:39:08 +0200 |
commit | 03837bfd6dbf7fd1eaa437da22807d7061b99af7 (patch) | |
tree | 746a0d63ca10adeb72b792e2557c6a918181bb96 /install/share | |
parent | e345ad12eb05e53246c2eca54616f9001765c291 (diff) | |
download | freeipa-03837bfd6dbf7fd1eaa437da22807d7061b99af7.tar.gz freeipa-03837bfd6dbf7fd1eaa437da22807d7061b99af7.tar.xz freeipa-03837bfd6dbf7fd1eaa437da22807d7061b99af7.zip |
Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.
A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.
The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.
The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.
On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.
https://fedorahosted.org/freeipa/ticket/2803
Diffstat (limited to 'install/share')
-rw-r--r-- | install/share/bootstrap-template.ldif | 6 | ||||
-rw-r--r-- | install/share/default-aci.ldif | 10 |
2 files changed, 16 insertions, 0 deletions
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 23510c953..aac3f059a 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -161,6 +161,12 @@ objectClass: nsContainer objectClass: top cn: posix-ids +dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: ca_renewal + dn: cn=s4u2proxy,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 870ac12e9..f3ed39599 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -86,3 +86,13 @@ changetype: modify add: aci aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) +# Let host add and update CA renewal certificates +dn: cn=ipa,cn=etc,$SUFFIX +changetype: modify +add: aci +aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) + +dn: cn=ipa,cn=etc,$SUFFIX +changetype: modify +add: aci +aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) |