#5253 The KRA agent cert is stored in a PEM file that is not tracked
Closed: Fixed None Opened 8 years ago by simo.

The framework needs to use the KRA Agent cert by using a copy stored in a PEM file.
This copy is not trakced by certmonger so once expired the framework's KRA commands will break.

The KRa agent should be stored only in one file and tracked by certmonger.


Instead of having certmonger track the KRA agent cert in multiple locations, the PEM file can be exported from the NSS database for each request. To improve the performance the PEM file can be cached. The cache should be invalidated if the KRA authentication fails.

The idea is to deal with this by having the framework code actually pull the PEM at runtime and cache it, then check if permission denied/cert expired is raised on its operations and pull again a new PEM from the nssdb and cache it, on the presumption that certmonger will have updated the cert in the NSSDB in the meanwhile.

This can be done in the post-command script that already exists for ipaCert, renew_ra_cert.

You can extract the data into discrete files when it gets renewed the framework wouldn't have to be aware of this at all.

Note that you'll also need to pre-create the PEM versions during install/upgrade but it should be a one-time operation.

Also after the KRA agent cert is renewed, the cert mapping to the KRA agent user needs to be updated in the PKI database. The mapping is stored in the LDAP entry of the KRA agent user:

dn: uid=ipakra,ou=people,o=kra,o=ipaca
...
description: <cert version>;<serial number>;<issuer DN>;<subject DN>
userCertificate: <DER encoded cert>

Note: cert version is 2

For now this should be done using LDAPI in IPA. In the future PKI will provide tools to update the cert mapping via LDAPI (https://fedorahosted.org/pki/ticket/1574) and IPA should use that instead.

The ipaCert is also used by the CA agent, so if it's renewed the mapping needs to be updated as well in PKI database:

dn: uid=ipara,ou=people,o=ipaca
...
description: <cert version>;<serial number>;<issuer DN>;<subject DN>
userCertificate: <DER encoded cert>

master:

  • 43ee695 cert renewal: Include KRA users in Dogtag LDAP update
  • e9a76c3 cert renewal: Automatically update KRA agent PEM file

ipa-4-2:

  • a3310c3 cert renewal: Include KRA users in Dogtag LDAP update
  • cea6636 cert renewal: Automatically update KRA agent PEM file

Metadata Update from @simo:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Login to comment on this ticket.

Metadata