Use certmonger to renew CA subsystem certificates

Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803

19 files changed, 466 insertions, 13 deletions

diff --git a/install/Makefile.am b/install/Makefile.am
index 5670f9bd9..54c456a97 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -5,6 +5,7 @@ AUTOMAKE_OPTIONS = 1.7
 NULL =
 
 SUBDIRS =			\
+        certmonger		\
         conf			\
         html			\
         migration		\
diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am
new file mode 100644
index 000000000..2023a2aec
--- /dev/null
+++ b/install/certmonger/Makefile.am
@@ -0,0 +1,14 @@
+NULL =
+
+appdir = $(libexecdir)/certmonger/
+app_SCRIPTS =					\
+	dogtag-ipa-retrieve-agent-submit	\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(app_SCRIPTS)			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in
diff --git a/install/certmonger/dogtag-ipa-retrieve-agent-submit b/install/certmonger/dogtag-ipa-retrieve-agent-submit
new file mode 100644
index 000000000..24e1844a5
--- /dev/null
+++ b/install/certmonger/dogtag-ipa-retrieve-agent-submit
@@ -0,0 +1,80 @@
+#!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The certificate rewewal is done on only one dogtag CA. The others
+# retrieve the updated certificate from IPA.
+
+import os
+import sys
+import shutil
+import tempfile
+import krbV
+import syslog
+from ipalib import api
+from ipalib.dn import DN
+from ipalib import errors
+from ipalib import x509
+from ipapython import services as ipaservices
+from ipapython import ipautil
+from ipaserver.install import certs
+from ipaserver.plugins.ldap2 import ldap2
+import base64
+
+# We cheat and pass in the nickname as the CA profile to execute against.
+# Some way is needed to determine which entry to retrieve from LDAP
+operation = os.environ.get('CERTMONGER_OPERATION')
+nickname = os.environ.get('CERTMONGER_CA_PROFILE')
+
+if operation not in ['SUBMIT', 'POLL']:
+    sys.exit(6) # unsupported operation
+
+api.bootstrap(context='renew')
+api.finalize()
+
+# Update or add it
+tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+try:
+    dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
+    principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+    conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+    conn.connect(ccache=ccache)
+    try:
+        syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)
+        (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
+        cert = entry_attrs['usercertificate'][0]
+        cert = base64.b64encode(cert)
+        print x509.make_pem(cert)
+    except errors.NotFound:
+        syslog.syslog(syslog.LOG_INFO, "Updated certificate for %s not available" % nickname)
+        # No cert available yet, tell certmonger to wait another 8 hours
+        print 8 * 60 * 60
+        sys.exit(5)
+    finally:
+        conn.disconnect()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, "Exception trying to retrieve %s: %s" % (nickname, e))
+    # Unhandled error
+    sys.exit(3)
+finally:
+    shutil.rmtree(tmpdir)
+
+sys.exit(0)
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index 5ee3eddb5..06b3b32df 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -2,8 +2,9 @@ NULL =
 
 appdir = $(IPA_DATA_DIR)
 app_DATA =                              \
+	ca_renewal			\
 	ipa.conf			\
-	ipa-pki-proxy.conf			\
+	ipa-pki-proxy.conf		\
 	ipa-rewrite.conf		\
 	$(NULL)
 
diff --git a/install/conf/ca_renewal b/install/conf/ca_renewal
new file mode 100644
index 000000000..57a9e9c24
--- /dev/null
+++ b/install/conf/ca_renewal
@@ -0,0 +1,6 @@
+# A separate helper for fetching dogtag certificates that are renewed on
+# another system.
+id=dogtag-ipa-retrieve-agent-submit
+ca_is_default=0
+ca_type=EXTERNAL
+ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
diff --git a/install/configure.ac b/install/configure.ac
index 9e781a684..c5934d93d 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -75,6 +75,7 @@ AC_SUBST(IPA_SYSCONF_DIR)
 
 AC_CONFIG_FILES([
     Makefile
+    certmonger/Makefile
     conf/Makefile
     html/Makefile
     migration/Makefile
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
index abc066b30..210c4863e 100644
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -4,6 +4,9 @@ appdir = $(libdir)/ipa/certmonger
 app_DATA =                              \
 	restart_dirsrv			\
 	restart_httpd			\
+	restart_pkicad			\
+	renew_ca_cert			\
+	renew_ra_cert			\
 	$(NULL)
 
 EXTRA_DIST =                            \
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
new file mode 100644
index 000000000..d3b756042
--- /dev/null
+++ b/install/restart_scripts/renew_ca_cert
@@ -0,0 +1,93 @@
+#!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import sys
+import shutil
+import tempfile
+import krbV
+import syslog
+from ipalib import api
+from ipalib.dn import DN
+from ipalib import errors
+from ipapython import services as ipaservices
+from ipapython import ipautil
+from ipaserver.install import certs
+from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install.cainstance import update_cert_config
+
+nickname = sys.argv[1]
+
+api.bootstrap(context='restart')
+api.finalize()
+
+# Fetch the new certificate
+db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+cert = db.get_cert_from_db(nickname, pem=False)
+
+if not cert:
+    syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
+    sys.exit(1)
+
+# Update or add it
+tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+try:
+    dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
+    principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+    conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+    conn.connect(ccache=ccache)
+    try:
+        (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
+        entry_attrs['usercertificate'] = cert
+        conn.update_entry(dn, entry_attrs, normalize=False)
+    except errors.NotFound:
+        entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
+                                        usercertificate=cert)
+        conn.add_entry(dn, entry_attrs, normalize=False)
+    except errors.EmptyModlist:
+        pass
+    conn.disconnect()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
+finally:
+    shutil.rmtree(tmpdir)
+
+# Fix permissions on the audit cert if we're updating it
+if nickname == 'auditSigningCert cert-pki-ca':
+    db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+    args = ['-M',
+            '-n', nickname,
+            '-t', 'u,u,Pu',
+           ]
+    try:
+        db.run_certutil(args)
+    except ipautil.CalledProcessError:
+        syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
+
+update_cert_config(nickname, cert)
+
+syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca')
+
+try:
+    ipaservices.knownservices.pki_cad.restart('pki-ca')
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
new file mode 100644
index 000000000..2fcf1a79b
--- /dev/null
+++ b/install/restart_scripts/renew_ra_cert
@@ -0,0 +1,96 @@
+#!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import shutil
+import tempfile
+import syslog
+from ipapython import services as ipaservices
+from ipapython.certmonger import get_pin
+from ipapython import ipautil
+from ipaserver.install import certs
+from ipaserver.install.cainstance import DEFAULT_DSPORT
+from ipalib import api
+from ipalib.dn import DN
+from ipalib import x509
+from ipalib import errors
+from ipaserver.plugins.ldap2 import ldap2
+
+api.bootstrap(context='restart')
+api.finalize()
+
+# Fetch the new certificate
+db = certs.CertDB(api.env.realm)
+cert = db.get_cert_from_db('ipaCert', pem=False)
+serial_number = x509.get_serial_number(cert, datatype=x509.DER)
+subject = x509.get_subject(cert, datatype=x509.DER)
+issuer = x509.get_issuer(cert, datatype=x509.DER)
+
+# Load it into dogtag
+dn = str(DN(('uid','ipara'),('ou','People'),('o','ipaca')))
+
+try:
+    dm_password = get_pin('internaldb')
+except IOError, e:
+    syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
+    sys.exit(1)
+
+try:
+    conn = ldap2(shared_instance=False, ldap_uri='ldap://localhost:%d' % DEFAULT_DSPORT)
+    conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
+    (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], normalize=False)
+    entry_attrs['usercertificate'].append(cert)
+    entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject)
+    conn.update_entry(dn, entry_attrs, normalize=False)
+    conn.disconnect()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, 'Updating agent entry failed: %s' % e)
+    sys.exit(1)
+
+# Store it in the IPA LDAP server
+tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+try:
+    dn = str(DN(('cn','ipaCert'),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
+    principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+    conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+    conn.connect(ccache=ccache)
+    try:
+        (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
+        entry_attrs['usercertificate'] = cert
+        conn.update_entry(dn, entry_attrs, normalize=False)
+    except errors.NotFound:
+        entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
+                                        usercertificate=cert)
+        conn.add_entry(dn, entry_attrs, normalize=False)
+    except errors.EmptyModlist:
+        pass
+    conn.disconnect()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
+finally:
+    shutil.rmtree(tmpdir)
+
+# Now restart Apache so the new certificate is available
+try:
+    ipaservices.knownservices.httpd.restart()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
index e243583f9..d6bbbbc3f 100644
--- a/install/restart_scripts/restart_dirsrv
+++ b/install/restart_scripts/restart_dirsrv
@@ -1,5 +1,26 @@
 #!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 import sys
+import syslog
 from ipapython import services as ipaservices
 
 try:
@@ -7,7 +28,9 @@ try:
 except IndexError:
     instance = ""
 
+syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
+
 try:
     ipaservices.knownservices.dirsrv.restart(instance)
 except Exception, e:
-    print "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e))
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e)))
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index a53ab6e62..96f80bd8e 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -1,7 +1,30 @@
 #!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import syslog
 from ipapython import services as ipaservices
 
+syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
+
 try:
     ipaservices.knownservices.httpd.restart()
 except Exception, e:
-    print "Cannot restart httpd: %s" % str(e)
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad
new file mode 100644
index 000000000..070760b16
--- /dev/null
+++ b/install/restart_scripts/restart_pkicad
@@ -0,0 +1,50 @@
+#!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import syslog
+from ipapython import services as ipaservices
+from ipaserver.install import certs
+from ipalib import api
+
+nickname = sys.argv[1]
+
+api.bootstrap(context='restart')
+api.finalize()
+
+syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname)
+
+# Fix permissions on the audit cert if we're updating it
+if nickname == 'auditSigningCert cert-pki-ca':
+    db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+    args = ['-M',
+            '-n', nickname,
+            '-t', 'u,u,Pu',
+           ]
+    db.run_certutil(args)
+
+try:
+    # I've seen times where systemd restart does not actually restart
+    # the process. A full stop/start is required. This works around that
+    ipaservices.knownservices.pki_cad.stop('pki-ca')
+    ipaservices.knownservices.pki_cad.start('pki-ca')
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 23510c953..aac3f059a 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -161,6 +161,12 @@ objectClass: nsContainer
 objectClass: top
 cn: posix-ids
 
+dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: ca_renewal
+
 dn: cn=s4u2proxy,cn=etc,$SUFFIX
 changetype: add
 objectClass: nsContainer
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 870ac12e9..f3ed39599 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -86,3 +86,13 @@ changetype: modify
 add: aci
 aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
 
+# Let host add and update CA renewal certificates
+dn: cn=ipa,cn=etc,$SUFFIX
+changetype: modify
+add: aci
+aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+
+dn: cn=ipa,cn=etc,$SUFFIX
+changetype: modify
+add: aci
+aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 063eea023..c322cb62e 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -461,6 +461,7 @@ def main():
     krb = install_krb(config, setup_pkinit=options.setup_pkinit)
     http = install_http(config, auto_redirect=options.ui_redirect)
     if CA:
+        CA.configure_certmonger_renewal()
         CA.import_ra_cert(dir + "/ra.p12")
         CA.fix_ra_perms()
         ipaservices.knownservices.httpd.restart()
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cfb9a19e3..951bd4854 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -28,6 +28,7 @@ try:
     from ipapython import ipautil, sysrestore, version
     from ipapython.config import IPAOptionParser
     from ipapython.ipa_log_manager import *
+    from ipapython import certmonger
     from ipaserver.install import installutils
     from ipaserver.install import dsinstance
     from ipaserver.install import httpinstance
@@ -43,6 +44,7 @@ try:
     import os
     import shutil
     import fileinput
+    from ipalib import api
     import ipalib.errors
 except ImportError:
     print >> sys.stderr, """\
@@ -430,6 +432,35 @@ def named_enable_serial_autoincrement():
 
     return changed
 
+def enable_certificate_renewal(realm):
+    """
+    If the CA subsystem certificates are not being tracked for renewal then
+    tell certmonger to start tracking them.
+    """
+    ca = cainstance.CAInstance(realm, certs.NSS_DIR)
+    if not ca.is_configured():
+        root_logger.debug('dogtag not configured')
+        return
+
+    # Using the nickname find the certmonger request_id
+    criteria = (('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH),('cert_nickname', 'ipaCert', None))
+    request_id = certmonger.get_request_id(criteria)
+    if request_id is not None:
+        root_logger.debug('Certificate renewal already configured')
+        return
+
+    if not sysupgrade.get_upgrade_state('dogtag', 'renewal_configured'):
+        if ca.is_master():
+            ca.configure_renewal()
+        else:
+            ca.configure_certmonger_renewal()
+            ca.configure_clone_renewal()
+            ca.configure_agent_renewal()
+        ca.track_servercert()
+        sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True)
+        ca.restart(cainstance.PKI_INSTANCE_NAME)
+        root_logger.debug('CA subsystem certificate renewal enabled')
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -440,6 +471,9 @@ def main():
     if not os.geteuid()==0:
         sys.exit("\nYou must be root to run this script.\n")
 
+    if not installutils.is_ipa_configured():
+        sys.exit(0)
+
     safe_options, options = parse_options()
 
     standard_logging_setup('/var/log/ipaupgrade.log', verbose=True,
@@ -448,11 +482,8 @@ def main():
 
     fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
-    try:
-        krbctx = krbV.default_context()
-    except krbV.Krb5Error, e:
-        # Unable to get default kerberos realm
-        sys.exit(0)
+    api.bootstrap(context='restart')
+    api.finalize()
 
     fqdn = find_hostname()
     if fqdn is None:
@@ -464,13 +495,13 @@ def main():
     check_certs()
 
     auto_redirect = find_autoredirect(fqdn)
-    sub_dict = { "REALM" : krbctx.default_realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'}
+    sub_dict = { "REALM" : api.env.realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'}
 
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
     upgrade_pki(fstore)
-    update_dbmodules(krbctx.default_realm)
+    update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
 
     http = httpinstance.HTTPInstance(fstore)
@@ -479,25 +510,26 @@ def main():
 
     memcache = memcacheinstance.MemcacheInstance()
     memcache.ldapi = True
-    memcache.realm = krbctx.default_realm
+    memcache.realm = api.env.realm
     try:
         if not memcache.is_configured():
             # 389-ds needs to be running to create the memcache instance
             # because we record the new service in cn=masters.
             ds = dsinstance.DsInstance()
             ds.start()
-            memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(krbctx.default_realm))
+            memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm))
     except (ldap.ALREADY_EXISTS, ipalib.errors.DuplicateEntry):
         pass
 
     cleanup_kdc(fstore)
-    upgrade_ipa_profile(krbctx.default_realm)
+    upgrade_ipa_profile(api.env.realm)
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
     if changed_psearch or changed_autoincrement:
         # configuration has changed, restart the name server
         root_logger.info('Changes to named.conf have been made, restart named')
         bindinstance.BindInstance(fstore).restart()
+    enable_certificate_renewal(api.env.realm)
 
 if __name__ == '__main__':
     installutils.run_script(main, operation_name='ipa-upgradeconfig')
diff --git a/install/updates/21-ca_renewal_container.update b/install/updates/21-ca_renewal_container.update
new file mode 100644
index 000000000..50b92d73d
--- /dev/null
+++ b/install/updates/21-ca_renewal_container.update
@@ -0,0 +1,8 @@
+#
+# Add CA renewal container if not available
+#
+
+dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: ca_renewal
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index de112d99d..1e512d0f7 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -356,3 +356,7 @@ replace:aci:'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr
 # Don't allow the default 'manage group membership' to be able to manage the
 # admins group
 replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: cn=ipa,cn=etc,$SUFFIX
+add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
+add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index e45690f14..bc7945d7a 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -22,6 +22,7 @@ app_DATA =				\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
 	21-replicas_container.update	\
+	21-ca_renewal_container.update	\
 	30-s4u2proxy.update		\
 	40-delegation.update		\
 	40-dns.update			\