[Freeipa-devel] Mozilla Specific User Certificate Generation code:
Adam Young
ayoung at redhat.com
Tue Oct 4 13:41:36 UTC 2011
On 10/04/2011 09:32 AM, Rob Crittenden wrote:
> Adam Young wrote:
>> It is possible to generate a Certificate signing request from the
>> browser, if we use Mozilla specific code. I've mildly hacked the Mozilla
>> sample code to work with JQuery and to display the CSR to the screen,
>> instead of sending it right to the server.
>>
>> I'd see this working something like this:
>>
>> 1. add the certificate attribute to the user plugin.
>> 2. On the user page, if the principal of the user selected matches the
>> kerberos principal for the logged user, show the certificate control
>> 3. The certificate control allows the user to request a new certificate.
>> 4. If the user has a certificate, the certificate control allow the user
>> to download the certificate.
>>
>>
>> I have to look into the details, but the certificate shoud only be
>> useable by default in the browser that originally requested it. However,
>> it is fairly easy to export the certificate, along with the primary keys
>> that generated its CSR, such that it would be usable elsewhere: For
>> example https://ca.cern.ch/ca/Help/?kbid=040111
>>
>> This seems like fairly simple to implement. We would not even have to
>> extend the API. We keep the certificate request separate from the user
>> until it is signed, and then add it to the user object. Thus it would be
>> created as a side effect of:
>>
>> ipa cert-request --add --principal=abradley at DEV.EXAMPLE.COM abradley.csr
>
> Yes, CRMF is how we'll eventually add user certificate support, but
> this is the easy part.
>
> On the server side we need to add support for multiple certificate
> profiles (your above request issues a server cert for the user abradley).
>
> We also need a way to manage a queue of requests. User certificates
> are a different beast from server certs and in many cases will require
> the intervention of a security officer, or some other 3rd party
> verification.
>
> rob
Basic user certificates should probably be issued without security
officer intervention, as they merely play the same role as the Kerberos
credential. Where it gets tricky is if we deactivate a user, we should
put the certificate on Hold, which means we need to update the CRLs we
publish, but CS should handle this fairly easily. We would need to
expand the Cert plugin to determine if a request is for a user
certificate or a server certificate, but it has enough information do
that already.
However, there might be other certificates that we want to issue in the
future. If I understand correctly, this work should be delegated to
Certificate server, and the IPA Cert plugin needs to be expanded to
track the certificate requests pending in the CS instance.
More information about the Freeipa-devel
mailing list