[Freeipa-devel] certmonger everywhere
Martin Kosek
mkosek at redhat.com
Wed Dec 16 10:11:42 UTC 2015
On 12/16/2015 09:17 AM, Jan Cholasta wrote:
> On 16.12.2015 08:54, Martin Kosek wrote:
...
>>> 7. cert-request fetches the configuration for the specified sub-CA,
>>> or the
>>> default sub-CA if none was specified, from LDAP
>>>
>>> 8. cert-request forwards the request to the certmonger CA helper
>>> specified in
>>> the LDAP configuration over D-Bus (this is the D-Bus method that
>>> currently does
>>> not exist and needs to be implemented)
>>>
>>> 9. certmonger executes the specified CA helper to handle the request
>>>
>>> 10. the CA helper requests the certificate from the CA and returns
>>> either the
>>> certificate, wait delay or error
>>>
>>> 11. certmonger returns the result back to cert-request
>>
>> These steps are subject to Fraser's question (and I am curious too), i.e.:
>>
>> - how is authentication done? certmonger runs with FreeIPA server host
>> principal.
>
> We are on the server, so the RA agent cert is used to authenticate to Dogtag as
> usual, and whatever authentication is configured for other CAs is used for
> other CAs.
Right, this is how it works now. However, in FreeIPA 4.4 or later, we plan to
switch GSSAPI authentication with Dogtag to get better authorization capabilities:
https://fedorahosted.org/freeipa/ticket/5011
But maybe this could be done via S4U2Proxy as Fraser suggested, although in
this case it would be more complicated as certmonger itself does not have
access to user HTTP/ipa.server ticket, like Apache does, given that Apache
would contact certmonger via DBUS.
>
>> - how will we handle 3-step certificate request, i.e.:
>> - certificate is requested and in moderation/wait queue
>> - request have to be acked by Dogtag administrator (we do not have
>> API yet)
>> - client should be able to ask for generated certificate
>
> This is not really related to my proposal, since we have to figure this out for
> our Dogtag IPA CA anyway, but the CA helper can return a wait delay in this
> case, so certmonger can poll the request until it is approved.
Ok.
>>> 12. cert-request returns the result back to IPA CA helper on the client
>>>
>>> 13. the IPA CA helper on the client returns the result back to
>>> certmonger
>>>
>>> 14. if the result was wait delay, certmonger waits and then retries the
>>> request from step 4, otherwise it stores the certificate or sets error
>>> status
>>>
>>
>> Right, 12-14 is again the standard flow. Good summary of the steps!
>
>
More information about the Freeipa-devel
mailing list