On Thu, May 25, 2017 at 10:59:11AM -0400, Rob Foehl via FreeIPA-users wrote:
On Thu, 25 May 2017, Fraser Tweedale wrote:
> This is not correct. The CA cert must be valid for the leaf cert to
> be valid, but the CA cert *can* be renewed without requiring leaf
> certificates to be reissued. So long as the following conditions
> are met, everything will be fine:
> 1. The CA's key (and Subject Key Identifier) do not change
> 2. The CA's Subject DN does not change
> 3. The new CA certificate gets distributed to clients.
Huh? The CA cert's validity wasn't in question -- it was still valid, and
was used to issue a slew of new certificates, all of which expire in two
weeks, at expiration of the original CA cert. It has since been renewed,
but that doesn't change the state of any of the leaf certs issued in the
interim. Also not sure what the list of conditions has to do with anything,
when it's up to "ipa-cacert-manage renew" to get those right.
What is the validity of the leaf certificates? Is the notAfter time
of the leaf certificate pegged to the notAfter time of the CA
certificate? If so, this is (IMO) a bug.