[Freeipa-users] Searching for subjectKeyIdentifier in SSL certs
Nalin Dahyabhai
nalin at redhat.com
Fri Feb 24 01:18:51 UTC 2012
On Wed, Feb 22, 2012 at 02:57:03PM -0900, Erinn Looney-Triggs wrote:
> It looks like, as far as I can tell, the IPA pki setup does not by
> default include subjectKeyIdentifier in the SSL certificates issued. I
> am using ipa-getcert -f foo -k bar, to generate and submit the request.
>
> I am a little hazy about how all of this fits together at this point, so
> please forgive me. However, it looks like the RFC states that the CA
> SHOULD be included with all end certificates:
> https://www.ietf.org/rfc/rfc3280.txt (Page 27). So it is fine that it is
> not included, but is there a way to modify IPA so that it does?
While certmonger doesn't currently add a subjectKeyIdentifier value to
the list of requested extensions which it includes in signing requests,
I guess it could, but you're right in thinking that it's more important
to get the CA to do it -- the CA can (and almost always should) ignore
anything we put in the signing request anyway. And Dogtag is flexible
enough that we can do that without the rest of IPA being any the wiser.
> I assume this is all part of dogtag and it's operations, and it looks
> like from my research it should be possible in dogtag, but how IPA and
> dogtag work together etc. well I just don't know enough.
The short version is that certmonger uses XML-RPC to talk to the IPA
server, which then turns around and talks to the Dogtag instance running
on the same server (using an HTTP-based protocol that looks a lot like
XML-RPC), asking it to issue certificates using Dogtag's
"caIPAserviceCert" profile.
The profile, in turn, specifies to Dogtag what requirements a client
which asks it to issue a certificate using that profile should meet
(i.e., that it needs to authenticate using the a certificate and key
that belongs to a registration agent, like IPA's) and what to put into
any certificates that issues using that profile. As you've noticed,
that currently doesn't include a subjectKeyIdentifier extension.
The profile itself is just a configuration file, and while its syntax is
very flexible, based on what I have here, I'd suggest stopping your CA
and adding this to /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg:
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
The "10" doesn't have to be "10", exactly. Any identifier should do, so
long as it's not already being used. Then append that identifier to the
"policyset.serverCertSet.list" value so that the server components will
find it. I changed mine from this:
policyset.serverCertSet.list=1,2,3,4,5,6,7,8
to this:
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10
Then restart the CA (or all of the IPA services, if it's easier), and
from the client, use "ipa-getcert resubmit" to get certmonger to
re-submit the signing requests for the certificates in question. IPA
will ask Dogtag to issue new certificates, and those new certificates
should contain the subjectKeyIdentifier extension.
That all works when I try it here.
And since it's a SHOULD in the spec, it'd probably make for a decent
enhancement request to have the profile include that by default.
HTH,
Nalin
More information about the Freeipa-users
mailing list