[Freeipa-users] using wildcard or other external CA certs

Orion Poplawski orion at cora.nwra.com
Wed Jan 23 21:57:39 UTC 2013 

On 01/23/2013 02:30 PM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> On 01/23/2013 03:45 PM, Orion Poplawski wrote:
>>> On 01/23/2013 01:43 PM, Dmitri Pal wrote:
>>>> Yes please. Let us do it on the user list.
>>>>
>>>> Ticket URL:<https://fedorahosted.org/freeipa/ticket/3360#comment:14>
>>>
>>> So, my goal in using a wildcard cert signed by a "well known" CA was
>>> to be able to avoid installing the IPA CA in clients like Thunderbird
>>> and Firefox. Thoughts, comments, suggestions?
>>>
>> When you enroll the client we deliver the IPA CA cert to it and store it
>> in every cert store we can AFAIU. But I will leave to Rob to comment on
>> that.
>
> Well, that is certainly a good idea. Unfortunately that isn't something we can
> do right now, even with passing in PKCS#12 files. I suspect that with enough
> intimate knowledge of the cert code you could get something to work (I'd guess
> you'd need to get the PKCS#12 friendly names just right). This is just hard to
> automate in any sort of reliable way.

I'm not clear if you are referring to client (as Dmitri did) or server install 
(as I was trying to do) here.  Having client tools to install the IPA CA would 
be helpful, but would be needed on multiple platforms.

Handling the cert names seems to be the big issue with the server install (and 
the subject of the bug).  FWIW - I've managed to install and replicate 2.2 
with such a cert with the hack to the cert code and pausing the install at the 
right place to fix the CA trust level.  So I really don't think we are that 
far off if we wanted to go this route.  The problem I see at the moment is 
properly identifying the name the CA cert will have in the NSS store without a 
Friendly Name.

>> There is also a new feature in Fedora to consolidate the certificate
>> store for different components:
>> https://fedoraproject.org/wiki/Features/SharedSystemCertificates
>> It is the step into the right direction. Once it is implemented we would
>> be able to place IPA cert there during enrollment.
>
> Yup, I think this will help quite a bit.

For Fedora. But Windows, OS X, etc ?

>> FF users have to accept IPA cert when they hit IPA self service the
>> first time.
>> I do not see a way around placing the certs into the right stores but
>> may be I am missing something. You can probably use something like
>> puppet to deliver it but isn't the cert store for FF in the user home
>> directory? It might not be available for puppet or any other central
>> tool to mess with.
>>
>
> His point is that if he uses a cert issued by a root CA (e.g. Verisign) then
> his users won't have to do anything SSL trust-wise because it would already be
> trusted.

Yup.

> We spent a fair bit of time trying to figure this out a couple of years ago
> and could never come to any sort of workable solution. It is possible for the
> client installer to stuff the CA into various places but that always
> inevitably led to really bad corner cases, and in particular, issues with
> re-installs.
>
> rob

Firefox is not so bad I suppose - you can click on a link and it will prompt 
you to install the cert.  I remember Thunderbird to be a much bigger pain, but 
perhaps that has changed.  I'll have to test.


I can also imagine another architecture where there are slave LDAP servers 
with root CA assigned certs for general clients to connect to.  The IPA 
webserver will only be accessed by a few clients so that is less of a big deal.

Thanks for the good discussion.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the Freeipa-users mailing list