On Fri, 26 May 2017, Fraser Tweedale wrote:
> What is the validity of the leaf certificates? Is the notAfter time
> of the leaf certificate pegged to the notAfter time of the CA
> certificate? If so, this is (IMO) a bug.
The leaf certs' expiration is pegged to that of the CA cert that was
used to issue them -- the old one, in this case -- but that is expected
behavior for any CA. It wouldn't be semantically valid otherwise, and
there's no guarantee that the CA cert will actually be renewed without
changing the key.
The odd behavior here is that certmonger woke up, noticed that every IPA
cert including the externally-signed IPA CA needed to be renewed, and
immediately caused the CA to renew them all. The IPA CA cert itself
yielded a log entry like this:
May 25 00:25:21 ipa.example.com
Certificate with subject 'CN=Certificate Authority,O=EXAMPLE.COM' is
about to expire, use ipa-cacert-manage to renew it
The other 7 or so IPA-generated certificates (host, RA, OCSP, etc.) were
renewed using the existing CA cert, with new validity periods tied to
that cert. As mentioned, certmonger would likely figure this out and
renew them all again using the since-replaced CA cert within the ~2 week
period until they all expire again, but this seems like unexpected
behavior when the IPA CA cert is signed by an external CA and can't be
(Actually, based on the order the renewals were submitted, this seems
like it'd be an issue even if the CA cert were automatically renewed --
it wasn't the first one to be submitted, either. Incidentally, the
certs which were renewed aren't a complete list -- both the
"CN=ipa-ca-agent" and "CN=Object Signing Cert" certs weren't
aren't tracked by certmonger.)
certmonger doesn't have the context to know internal vs external. It
just knows a cert is expiring within its window so it renews it. IMHO
this is completely expected.
I believe that certmonger will renew it again as the final day approaches.
The object signing cert is deprecated and not used (it was used to sign
a JAR file to automatically configure Firefox). The ipa-ca-agent cert
isn't used either, it is an artifact of the dogtag install.