On Fri, 26 May 2017, Fraser Tweedale wrote:
What is the validity of the leaf certificates? Is the notAfter time
of the leaf certificate pegged to the notAfter time of the CA
certificate? If so, this is (IMO) a bug.
The leaf certs' expiration is pegged to that of the CA cert that was used
to issue them -- the old one, in this case -- but that is expected
behavior for any CA. It wouldn't be semantically valid otherwise, and
there's no guarantee that the CA cert will actually be renewed without
changing the key.
The odd behavior here is that certmonger woke up, noticed that every IPA
cert including the externally-signed IPA CA needed to be renewed, and
immediately caused the CA to renew them all. The IPA CA cert itself
yielded a log entry like this:
May 25 00:25:21
ipa.example.com dogtag-ipa-ca-renew-agent-submit[868]: Certificate with
subject 'CN=Certificate Authority,O=EXAMPLE.COM' is about to expire, use
ipa-cacert-manage to renew it
The other 7 or so IPA-generated certificates (host, RA, OCSP, etc.) were
renewed using the existing CA cert, with new validity periods tied to that
cert. As mentioned, certmonger would likely figure this out and renew
them all again using the since-replaced CA cert within the ~2 week period
until they all expire again, but this seems like unexpected behavior when
the IPA CA cert is signed by an external CA and can't be auto-renewed.
(Actually, based on the order the renewals were submitted, this seems like
it'd be an issue even if the CA cert were automatically renewed -- it
wasn't the first one to be submitted, either. Incidentally, the certs
which were renewed aren't a complete list -- both the "CN=ipa-ca-agent"
and "CN=Object Signing Cert" certs weren't renewed and aren't tracked by
certmonger.)
-Rob