On ke, 04 maalis 2020, Sigbjorn Lie via FreeIPA-users wrote:
Hi Alex,
Thanks for your prompt response.
There are no Debian/Ubuntu systems in our environment.
From your response, is the dual CA cert to be expected / by design?
Yes, actually, it is to be expected for any setup with external CA root.
I have not verified what certificate every application in our
environment ends up utilizing yet, as serving both the old and the new
CA certificates seem to me to be a bug, and I would rather fix the bug
than make workarounds.
No it is not a bug. It is normal and common to have multiple CA roots
available in a certificate store. The checks are done against a valid
CA root for the specific certificate and if you have one issued with the
use of older CA root certificate, you need to verify against that.
What I'd like to get clear is why are you pointing the applications to
/etc/ipa/ca.crt? Supposedly, the content of this file is already a part
of the system-wide certificate store. On RHEL/CentOS/Fedora systems the
way how system-wide store works, there are multiple representations that
are supported by all crypto libraries and frameworks. So you don't need
to put a direct reference to /etc/ipa/ca.crt.
Back to my original question, what is the reason for keep serving the
old certificate? Would it not be sufficient to serve only the new
certificate to new clients being enrolled and clients using the
ipa-certupdate command?
It is to allow clients to verify certificates issued with the previous
CA root certificate. Until you have renewed all certificates issued with
the old CA root, you need to keep that in place or clients/servers using
that wouldn't be able to trust the certificate.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland