Thanks Fraser,
I'll be really interested to read it when it gets posted. For now I'll
make sure there's a process for us to renew/rekey the Sub CA before
revoking it.
Cheers,
Chris
On Thu, 2020-02-13 at 09:59 +1000, Fraser Tweedale wrote:
On Wed, Feb 12, 2020 at 10:35:00PM +0000, Christopher Lord via
FreeIPA-users wrote:
> Attempting to reply to the proper thread instead of to Rob
> privately.
> Please forgive my inexperience with mailing lists.
>
> Thanks Rob,
>
> I thought that was probably the case. Is it at all possible to
> revoke
> the Sub CA certificate and have FreeIPA aware that its cert has
> been
> revoked? Or would it just be a case of revoking the cert, and then
> following the manual renewal process to replace the cert?
>
> Chris
>
If it is planned to revoke the IPA CA certificate, you should
ideally renew it first to ensure continuity of service (for both
server operation, and clients when they validate end-entity
certificates). Then revoke the old IPA CA certificate.
Of course, the issuer might revoke the CA certificate at any time.
I'm not sure what would happen on an IPA server in default
configuration if that were to happen, or what the recovery procedure
would be. It is an interesting scenario. I will try and
investigate this and blog about it (some time in the next month or
so).
Cheers,
Fraser
> On Tue, 2020-02-11 at 19:04 -0500, Rob Crittenden wrote:
> > Christopher Lord via FreeIPA-users wrote:
> > > Hi All,
> > >
> > > We are doing a PoC of FreeIPA using a Sub CA issued by ms-ca as
> > > the
> > > CA
> > > for FreeIPA. One of the test cases laid out by our security
> > > team is
> > > that
> > > we need to be able to issue Sub CA certs for each FreeIPA
> > > replica
> > > so
> > > that we are able to revoke one of the Sub CAs and still have a
> > > functioning FreeIPA stack. However I haven't been able to find
> > > a
> > > way to
> > > have an issued Sub CA cert per replica server, or how to have a
> > > FreeIPA
> > > replica register that its Sub CA cert has been revoked.
> > >
> > > Is it possible to do these? If so, could I please be pointed to
> > > the
> > > appropriate doco?
> >
> > I think there is a misunderstanding of what an IPA master is, and
> > what a
> > "replica" is. The only thing that distinguishes one master from
> > another
> > is the order of installation (the first is assigned the role of
> > renewal
> > master and CRL generator) and the optional services on it (CA,
> > KRA,
> > DNS,
> > AD). They are otherwise all exactly identical.
> >
> > A unique SubCA isn't (and can't be) generated for each new master
> > created.
> >
> > rob
> >
> >
> > > Cheers,
> > >
> > > Chris
> > >
> > >
> > > Christopher Lord
> > >
> > >
> > >
> > > *Systems Engineer*
> > >
> > > <http://>
> > >
> > > *T* +61 2 9994 8587
> > > *E* christopher.lord(a)mnfgroup.limited
> > >
> > > *mnfgroup.limited <
https://mnfgroup.limited>*
> > >
> > > <http://>
> > >
> > > This communication is intended only for the person to whom it
> > > is
> > > addressed and may contain confidential material. If you
> > > received
> > > this
> > > communication in error, please inform the sender immediately
> > > and
> > > delete
> > > all copies. Please think of the environment before printing
> > > this
> > > email.
> > >
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> > > freeipa-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
> > > freeipa-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...