[Freeipa-users] using wildcard or other external CA certs

Rob Crittenden rcritten at redhat.com
Wed Jan 23 21:30:19 UTC 2013 

Dmitri Pal wrote:
> On 01/23/2013 03:45 PM, Orion Poplawski wrote:
>> On 01/23/2013 01:43 PM, Dmitri Pal wrote:
>>> Yes please. Let us do it on the user list.
>>>
>>> Ticket URL:<https://fedorahosted.org/freeipa/ticket/3360#comment:14>
>>
>> So, my goal in using a wildcard cert signed by a "well known" CA was
>> to be able to avoid installing the IPA CA in clients like Thunderbird
>> and Firefox. Thoughts, comments, suggestions?
>>
> When you enroll the client we deliver the IPA CA cert to it and store it
> in every cert store we can AFAIU. But I will leave to Rob to comment on
> that.

Well, that is certainly a good idea. Unfortunately that isn't something 
we can do right now, even with passing in PKCS#12 files. I suspect that 
with enough intimate knowledge of the cert code you could get something 
to work (I'd guess you'd need to get the PKCS#12 friendly names just 
right). This is just hard to automate in any sort of reliable way.


> There is also a new feature in Fedora to consolidate the certificate
> store for different components:
> https://fedoraproject.org/wiki/Features/SharedSystemCertificates
> It is the step into the right direction. Once it is implemented we would
> be able to place IPA cert there during enrollment.

Yup, I think this will help quite a bit.

> FF users have to accept IPA cert when they hit IPA self service the
> first time.
> I do not see a way around placing the certs into the right stores but
> may be I am missing something. You can probably use something like
> puppet to deliver it but isn't the cert store for FF in the user home
> directory? It might not be available for puppet or any other central
> tool to mess with.
>

His point is that if he uses a cert issued by a root CA (e.g. Verisign) 
then his users won't have to do anything SSL trust-wise because it would 
already be trusted.

We spent a fair bit of time trying to figure this out a couple of years 
ago and could never come to any sort of workable solution. It is 
possible for the client installer to stuff the CA into various places 
but that always inevitably led to really bad corner cases, and in 
particular, issues with re-installs.

rob

More information about the Freeipa-users mailing list