Per PKI Bug Council of 07/06/2017: 10.4 - critical

[20171025] - Offline Triage ==> 10.6

See also https://pagure.io/dogtagpki/issue/1752 (which specifically is for renewal of expired CA certificate). The complete solution for this ticket will also discharge 1752.

Per 10.5.x/10.6 Triage: 10.5.x

Dumping a few thoughts here so I don't forget them.

1. I have a solution for dealing with and renewing expired subsystem cert (and also dealing with, but not renewing, expired DS service cert). But the new subsystem cert is not (yet) automatically installed in the relevant DB user entry. But it probably can be, since we know that the user is pkidbuser (probably).

2. We can't automatically deal with expired DS cert. It is nontrivial to detect this from within cert-fix. But, if we can detect it, we can leave Dogtag configured to use basic auth on unsecured connection, and advise the admin that the DS cert needs their attention.

3. About to start investigation on how we could handle expired agent cert.

For agent cert, the standard mapping code does not require an exact certificate match, only a match of the description attribute, which is of format 2;<serial>;<issuer-dn>;<subject-dn>.
So if admin cert is expired, re-issuing with same serial and updated validity period should be sufficient.

But I do not like this approach at all. I'm going to investigate whether we can use password auth for the agent/admin account, during cert-fix.

edit yes, we can totally use password authn for this. Indeed, IPA configures the admin account with the (original) DM passphrase. In general we can't assume it has the same passphrase. Now I will see if it is possible to change to random passphrase using DM cred, then restore the earlier passphrase afterwards by writing back the original userPassword attribute value.

Since this tool has been implemented, I'm closing this ticket. Feel free to file new tickets if there are bugs related to this tool

Related PRs:
10.5 branch: https://github.com/dogtagpki/pki/pull/183
master: https://github.com/dogtagpki/pki/pull/182

Related Bugzillas:
https://bugzilla.redhat.com/show_bug.cgi?id=1468348
https://bugzilla.redhat.com/show_bug.cgi?id=1696849
https://bugzilla.redhat.com/show_bug.cgi?id=1679480

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2896

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.