On Fri, 26 May 2017, Fraser Tweedale wrote:
What is the validity of the leaf certificates? Is the notAfter time of the leaf certificate pegged to the notAfter time of the CA certificate? If so, this is (IMO) a bug.
The leaf certs' expiration is pegged to that of the CA cert that was used to issue them -- the old one, in this case -- but that is expected behavior for any CA. It wouldn't be semantically valid otherwise, and there's no guarantee that the CA cert will actually be renewed without changing the key.
The odd behavior here is that certmonger woke up, noticed that every IPA cert including the externally-signed IPA CA needed to be renewed, and immediately caused the CA to renew them all. The IPA CA cert itself yielded a log entry like this:
May 25 00:25:21 ipa.example.com dogtag-ipa-ca-renew-agent-submit[868]: Certificate with subject 'CN=Certificate Authority,O=EXAMPLE.COM' is about to expire, use ipa-cacert-manage to renew it
The other 7 or so IPA-generated certificates (host, RA, OCSP, etc.) were renewed using the existing CA cert, with new validity periods tied to that cert. As mentioned, certmonger would likely figure this out and renew them all again using the since-replaced CA cert within the ~2 week period until they all expire again, but this seems like unexpected behavior when the IPA CA cert is signed by an external CA and can't be auto-renewed.
(Actually, based on the order the renewals were submitted, this seems like it'd be an issue even if the CA cert were automatically renewed -- it wasn't the first one to be submitted, either. Incidentally, the certs which were renewed aren't a complete list -- both the "CN=ipa-ca-agent" and "CN=Object Signing Cert" certs weren't renewed and aren't tracked by certmonger.)
-Rob