[Freeipa-devel] Re: [Freeipa-users] Re: Renewing /etc/httpd/alias certs

Petr Vobornik via FreeIPA-devel wrote: > On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale <ftweedal(a)redhat.com&gt; wrote: >> Hi devs, >> >> This is at least the second time recently that people needing to >> renew service certificates used ``ipa-cacert-manage renew`` (the >> wrong command) and either didn't solve the problem or got into a >> deeper mess. >> >> Clearly we have a usability problem here. >> >> The ipa-cacert-manage(1) man page is clear, but perhaps could use a >> prominent statement that it doesn't renew service certs and if >> that's all the user needs to do, to use `getcert resubmit` instead. > > Right, I think that a lot of people don't understand certificates well > and so they don't distinguish CA cert and other cert. So when they see > a howto for "CA certificate renewal" they understand "certificate > renewal". > > From that perspective another possible culprit is also page: > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > >> >> But I think better would be to enhance `ipa-cacert-manage renew` to >> inspect the current CA certificate and if it has, say, more than 75% >> of its validity period still to go, to PROMPT the user to confirm >> that renewing the *CA* certificate is really what they wanted to do. >> >> What do others think of this idea? > > I like the idea. Honestly, I'd be even harsher. IMHO this is one of those times that requires: Are you sure? (yes/NO) Are you really sure? (yes/NO) Really, you want to renew the CA certificate and not some other certificate? This is not something to be done lightly? (yes/NO) <insert another 72 questions here> rob