Ticket #3074 introduced in FreeIPA 3.1 updated pki-ca IPA certificate profile to issue certificates with 2 URIs: - one URI pointing at the issuer: https://server.example.com - one URI pointing at general DNS name which would redirect the requesting party to any FreeIPA CA: https://ipa-ca.example.com
https://server.example.com
https://ipa-ca.example.com
However, there are 2 issues with this approach:
Using HTTPS for OCSP and CRL distribution points is unnecessary, as it does not add any extra security, because both OSCP responses and CRLs are signed (see RFC 2560 and RFC 5280). It also makes things more complicated, because the certificate presented by those service must be checked for validity itself (see #3547).
Client certificate libraries may not handle multiple OCSP/CRL distribution points and use just one, thus for failing to validate FreeIPA certificate if the original issuer was decommissioned. This issue is likely to not improve in soon future (see discussion in NSS Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=797815)
We decided to keep only one OCSP/CRL URI using HTTP protocol, pointing only at the general ipa-ca.$IPA_DOMAIN name.
ipa-ca.$IPA_DOMAIN
Existing certificates with incorrect OCSP/CRL URIs will need to be reissued manually to use the correct URL.
Changing the ticket scope.
As client software is not guaranteed to handle multiple OCSP/CRL URIs correctly, we have decided that instead of having 2 HTTP URIs for OCSP/CRL, we will have just one URI for the general name ipa-ca.$DOMAIN which will have A records of FreeIPA CAs.
ipa-ca.$DOMAIN
master: b25080b[[BR]] ipa-3-1: e434ef6
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)
Login to comment on this ticket.