[Freeipa-users] User certificates with FreeIPA and another question.
Fraser Tweedale
ftweedal at redhat.com
Sat Feb 7 05:53:32 UTC 2015
On Fri, Feb 06, 2015 at 03:30:34PM +0100, Martin Kosek wrote:
> On 02/06/2015 12:53 AM, Christopher Young wrote:
> > Obvious next question: Any plans to implement that functionality or advice
> > on how one might get some level of functionality for this? Would it be
> > possible to create another command-line based openssl CA that could issue
> > these but using IPA as the root CA for those?
>
> As for FreeIPA plans, we plan to vastly improve our flexibility to process
> certificates in next upstream version - FreeIPA 4.2. In next version, one
> should be able to create other certificate profiles (from FreeIPA default
> service cert profile) or even subCAs to do what you want.
>
> As for current workarounds, you would have to issue and sign a for example NSS
> or openssl based subCA and then sign user certs there. But I would leave Fraser
> or Jan to tell if this would be really possible.
>
Christopher, until profiles and subCAs are available in FreeIPA your
options are:
- Issue client certificates from the existing Dogtag CA, by using an
appropriate profile and including the relevant information in the
certificate request. Client certificates would be issued from the
same CA as service certificates (but would have different keyUsage
attributes, etc).
- Same as above, but spawn a subordinate Dogtag CA instance for
issuing the client certificates.
- (Martin's suggestion:) Issue a subordinate signing certificate
from the Dogtag CA and use OpenSSL or other CA software to issue
client certificates.
The first option is the easiest but would not be considered good
practice because certificates intended for different client uses
(e.g. web, VPN) should be issued from different CAs. But the latter
options are "heavyweight".
Hope that helps,
Fraser
> > I'm just trying to provide a solution for situations where we would like to
> > utilize client/user cert authentication for situations like secure apache
> > directory access as well as user VPN certificates. Any advise or ideas are
> > great appreciated.
> >
> > Thanks again!
> >
> > On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> >
> >> Christopher Young wrote:
> >>> Some of this might be rudimentary, so I apologize if this is answered
> >>> somewhere, though I've tried to search and have not had much luck...
> >>>
> >>> Basically, I would like to be able to issue user certificates (Subject:
> >>> email=sblblabla at blabla.local) in order to use client SSL security on
> >>> some things. I'm very new to FreeIPA, but have worked with external CAs
> >>> in the past for similar requests, however this is my first entry into
> >>> creating/running a localized CA within an organization.
> >>
> >> IPA doesn't issue user certificates yet, only server certificates.
> >>
> >>> I was wondering if this is possible via the command line, and if so, how
> >>> to go about submitting the request and receiving the certificate. Any
> >>> guidance or assistance would be greatly appreciated!
> >>>
> >>>
> >>> Additionally, just as a matter of cleanliness, is there any way possible
> >>> to just completely wipe out the existence of a certificate/request from
> >>> FreeIPA. I have done some trial-and-error and obviously have made
> >>> mistakes that I'd prefer to clean up after. I've revoked those certs,
> >>> however the perfectionist in me hates seeing them there. I'm quite
> >>> certain the answer is 'no', but I thought I would ask anyway.
> >>
> >> Right, the answer is no. In fact it is a good thing that all
> >> certificates are accounted for.
> >>
> >> rob
> >>
> >>
> >
> >
> >
>
More information about the Freeipa-users
mailing list