[Freeipa-users] User certificates with FreeIPA and another question.

[Christopher Young]

Would anyone happen to have any guides on how one could get through this
process?  I'm a one-man IT shop at the moment, so I'm building up a
tremendous amount of infrastructure at once.  I'm thinking that the option
of creating a subCA with something simple like openssl would be the best
option, but figuring out that process in a minimal amount of time is going
to be tough.

I'm going to try and give myself some reading assignments and push that
forward, but if anyone happens to have a good handle on that
process/commands/etc. and would be interesting in double a couple of hours
of consulting to me, I would be very interested in listening provided we
could come up with a reasonable rate/timeframe.  If anyone is interested,
please contact me directly off-list.

Thanks again.  These answers/ideas have been most helpful.

On Fri, Feb 6, 2015 at 9:30 AM, Martin Kosek <mkosek at redhat.com> wrote:

> On 02/06/2015 12:53 AM, Christopher Young wrote:
> > Obvious next question:  Any plans to implement that functionality or
> advice
> > on how one might get some level of functionality for this?  Would it be
> > possible to create another command-line based openssl CA that could issue
> > these but using IPA as the root CA for those?
>
> As for FreeIPA plans, we plan to vastly improve our flexibility to process
> certificates in next upstream version - FreeIPA 4.2. In next version, one
> should be able to create other certificate profiles (from FreeIPA default
> service cert profile) or even subCAs to do what you want.
>
> As for current workarounds, you would have to issue and sign a for example
> NSS
> or openssl based subCA and then sign user certs there. But I would leave
> Fraser
> or Jan to tell if this would be really possible.
>
> > I'm just trying to provide a solution for situations where we would like
> to
> > utilize client/user cert authentication for situations like secure apache
> > directory access as well as user VPN certificates.  Any advise or ideas
> are
> > great appreciated.
> >
> > Thanks again!
> >
> > On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
> >
> >> Christopher Young wrote:
> >>> Some of this might be rudimentary, so I apologize if this is answered
> >>> somewhere, though I've tried to search and have not had much luck...
> >>>
> >>> Basically,  I would like to be able to issue user certificates
> (Subject:
> >>> email=sblblabla at blabla.local) in order to use client SSL security on
> >>> some things.  I'm very new to FreeIPA, but have worked with external
> CAs
> >>> in the past for similar requests, however this is my first entry into
> >>> creating/running a localized CA within an organization.
> >>
> >> IPA doesn't issue user certificates yet, only server certificates.
> >>
> >>> I was wondering if this is possible via the command line, and if so,
> how
> >>> to go about submitting the request and receiving the certificate.  Any
> >>> guidance or assistance would be greatly appreciated!
> >>>
> >>>
> >>> Additionally, just as a matter of cleanliness, is there any way
> possible
> >>> to just completely wipe out the existence of a certificate/request from
> >>> FreeIPA.  I have done some trial-and-error and obviously have made
> >>> mistakes that I'd prefer to clean up after.  I've revoked those certs,
> >>> however the perfectionist in me hates seeing them there.  I'm quite
> >>> certain the answer is 'no', but I thought I would ask anyway.
> >>
> >> Right, the answer is no. In fact it is a good thing that all
> >> certificates are accounted for.
> >>
> >> rob
> >>
> >>
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150209/24f25ffa/attachment.htm>