summaryrefslogtreecommitdiffstats
path: root/install/share
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2012-07-11 15:51:01 -0400
committerMartin Kosek <mkosek@redhat.com>2012-07-30 13:39:08 +0200
commit03837bfd6dbf7fd1eaa437da22807d7061b99af7 (patch)
tree746a0d63ca10adeb72b792e2557c6a918181bb96 /install/share
parente345ad12eb05e53246c2eca54616f9001765c291 (diff)
downloadfreeipa-03837bfd6dbf7fd1eaa437da22807d7061b99af7.tar.gz
freeipa-03837bfd6dbf7fd1eaa437da22807d7061b99af7.tar.xz
freeipa-03837bfd6dbf7fd1eaa437da22807d7061b99af7.zip
Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803
Diffstat (limited to 'install/share')
-rw-r--r--install/share/bootstrap-template.ldif6
-rw-r--r--install/share/default-aci.ldif10
2 files changed, 16 insertions, 0 deletions
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 23510c953..aac3f059a 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -161,6 +161,12 @@ objectClass: nsContainer
objectClass: top
cn: posix-ids
+dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: ca_renewal
+
dn: cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 870ac12e9..f3ed39599 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -86,3 +86,13 @@ changetype: modify
add: aci
aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
+# Let host add and update CA renewal certificates
+dn: cn=ipa,cn=etc,$SUFFIX
+changetype: modify
+add: aci
+aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+
+dn: cn=ipa,cn=etc,$SUFFIX
+changetype: modify
+add: aci
+aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)