Petr Vobornik via FreeIPA-devel wrote:
> On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
>> Hi devs,
>>
>> This is at least the second time recently that people needing to
>> renew service certificates used ``ipa-cacert-manage renew`` (the
>> wrong command) and either didn't solve the problem or got into a
>> deeper mess.
>>
>> Clearly we have a usability problem here.
>>
>> The ipa-cacert-manage(1) man page is clear, but perhaps could use a
>> prominent statement that it doesn't renew service certs and if
>> that's all the user needs to do, to use `getcert resubmit` instead.
>
> Right, I think that a lot of people don't understand certificates well
> and so they don't distinguish CA cert and other cert. So when they see
> a howto for "CA certificate renewal" they understand "certificate
> renewal".
>
> From that perspective another possible culprit is also page:
>
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>
>>
>> But I think better would be to enhance `ipa-cacert-manage renew` to
>> inspect the current CA certificate and if it has, say, more than 75%
>> of its validity period still to go, to PROMPT the user to confirm
>> that renewing the *CA* certificate is really what they wanted to do.
>>
>> What do others think of this idea?
>
> I like the idea.
Honestly, I'd be even harsher. IMHO this is one of those times that
requires:
Are you sure? (yes/NO)
Are you really sure? (yes/NO)
Really, you want to renew the CA certificate and not some other
certificate? This is not something to be done lightly? (yes/NO)
<insert another 72 questions here>
rob