[Freeipa-users] Use of SAN's with automatic certificates in FreeIPA 4

Martin Kosek mkosek at redhat.com
Mon Sep 15 14:53:21 UTC 2014 

On 09/12/2014 09:19 PM, Dmitri Pal wrote:
> On 09/12/2014 02:43 PM, Michael Lasevich wrote:
>> That is awesome, but I am clearly missing some insight as to how this is
>> supposed to work. Can you point me to some more specific info on how to
>> accomplish this.
>>
>> I tried using the ipa-getcert request with multiple -D's from the client, but
>> got :
>>
>> ** Insufficient access: You need to be a member of the serviceadmin role to
>> add services
>>
>> Unless I am missing something,  I should probably not add each host to
>> "serviceadmins" for security reasons.
> 
> 4.0 has a new permissions system this might yet to be another use case that we
> might have overlooked.

Not, not really - this part works well with 4.0.

> I will leave to developers to review this situation on Monday morning.
> 
>>
>> So I then I tried generating a csr via openssl with SANs on the client and
>> then adding it using "ipa cert-request file.csr --prinicple
>> host/${client_hostname}@DOMAIN"  from ipa server as admin (just to be sure)
>> and got this error (where <ALIAS> is the first SAN):
>>
>> ** ipa: ERROR: The service principal for subject alt name <ALIAS> in
>> certificate request does not exist
>>
>> It sounds like I need to create service principal for each SAN, but I can't
>> seem to figure out how to do it (only allows me to create service prinicpals
>> for existing hosts)

You need to create an (unused) host for the SAN service first. After that you
can create the service. Dummy service/host entries with appropriate managedby
attribute are used to authorize which host/service.

I did a quick test with latest FreeIPA 4.0.3 and it worked for me:

# ipa-getcert request -d /etc/httpd/nssdb -n Server-Cert -K test/`hostname` -N
CN=`hostname`,O=EXAMPLE.COM -D san.host.example.test -g 2048
New signing request "20140915143901" added.

# ipa-getcert list -i 20140915143901
Number of certificates and requests being tracked: 8.
Request ID '20140915143901':
	status: CA_REJECTED
	ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our
request, giving up: 2100 (RPC failed at server.  Insufficient access: You need
to be a member of the serviceadmin role to add services).
	stuck: yes
	key pair storage:
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
	certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert'
	CA: IPA
	issuer:
	subject:
	expires: unknown
	pre-save command:
	post-save command:
	track: yes
	auto-renew: yes


This is expected, now the authorization needs to be added:

# ipa service-add test/`hostname`
# ipa service-add test/san.host.example.test --force
# ipa service-add-host test/san.host.example.test --host `hostname`
  Principal: test/san.host.example.test at MKOSEK-FEDORA20.TEST
  Managed by: san.host.example.test, ipa.mkosek-fedora20.test
-------------------------
Number of members added 1
-------------------------


# ipa-getcert resubmit -i 20140915143901
Resubmitting "20140915143901" to "IPA".

# ipa-getcert list -i 20140915143901
Number of certificates and requests being tracked: 8.
Request ID '20140915143901':
	status: MONITORING
	stuck: no
	key pair storage:
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
	certificate:
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=MKOSEK-FEDORA20.TEST
	subject: CN=ipa.mkosek-fedora20.test,O=MKOSEK-FEDORA20.TEST
	expires: 2016-09-15 14:48:01 UTC
	dns: san.host.example.test
	principal name: test/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command:
	track: yes
	auto-renew: yes

# certutil -L -d /etc/httpd/nssdb -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=MKOSEK-FEDORA20.TEST"
        Validity:
            Not Before: Mon Sep 15 14:48:01 2014
            Not After : Thu Sep 15 14:48:01 2016
        Subject: "CN=ipa.mkosek-fedora20.test,O=MKOSEK-FEDORA20.TEST"
...
            Name: Certificate Subject Alt Name
            DNS name: "san.host.example.test"
...


I also updated
http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
with couple hints how that works.

HTH,
Martin

More information about the Freeipa-users mailing list