This is related to https://fedorahosted.org/freeipa/ticket/1431
We should update our certificate profile to add the CRL and OCSP CNAME as an additional URL to the current URL (which uses the actual IPA server hostname). The CNAME URL should be listed before the server hostname URL.
This change can (and should) before before ticket 1431 is addressed.
I think we should do it in 3.1 Stabilization right away. Kicking back to NEEDS TRIAGE.
Related CS ticket for Dogtag 10 is https://fedorahosted.org/pki/ticket/358
Ade has mock-up in: https://fedorahosted.org/pki/ticket/358
Changes required have been placed into https://fedorahosted.org/pki/ticket/358
One thing that I noticed was that the crldp extension is not currenty included in the certs IPA issues because the list of extensions to be included:
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10
does not include policy 9 --> which is the extension for crldp. We can fix that in the ipa profile, but this will necessitate changes in the ipa installation code because that list is parsed by the install code. In particular, see cainstance.py ( def enable_subject_key_identifier(self):)
It would be bad form to include an OCSP server that doesn't exist. We may need to add an option to not configure this CNAME as we can't guarantee it will be added if we don't control DNS.
OCSP checking using ocspclnt is causing Apache to core dump, https://bugzilla.redhat.com/show_bug.cgi?id=878237
NSS can only support a single OCSP server in an AIA. The last one wins. There is an upstream bug against NSS on this now: https://bugzilla.mozilla.org/show_bug.cgi?id=797815
Replying to [comment:9 rcritten]:
This seems to be a Firefox bug not an NSS bug.
One of the NSS engineers, Kai Engert, confirmed that the call to obtain the OCSP responder, CERT_GetOCSPAuthorityInfoAccessLocation, only returns a single value.
I took ever the work on this ticket, assigning to myself.
After a discussion with vakwetu and rcritten we decided to not do any update to vanilla pki-ca certificate profile - i.e. dogtag ticket 358 was closed.
I will need to do all the code that configures the CRL/OCSP anyway, so we can use it in clean install too.
There is also one more change - we agreed with rcritten that the CNAME should have more general name and we chose ipa-ca.$DOMAIN.
ipa-ca.$DOMAIN
master: 867f769
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=910470
Metadata Update from @nkinder: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.1 Stabilization
Login to comment on this ticket.