[Freeipa-users] User certificates with FreeIPA and another question.

Christopher Young mexigabacho at gmail.com
Mon Feb 9 19:24:12 UTC 2015 

I actually think I can get this going at this time if I can just figure out
how to submit a subca csr to dogtag, sign it, and acquire it.
Documentation on that seems to be hard to come by, but I'm digging to avoid
eating up this thread (and trying to RTFM where possible).  I still stand
by my request for consulting time if anyone has more intimate knowledge,
however if someone can point me in the best direction for getting a openssl
based subca's csr submitted, signed, acquired, I think I can get the rest
going.  Your help would be greatly, greatly appreciated.

Chris

On Mon, Feb 9, 2015 at 12:18 PM, Christopher Young <mexigabacho at gmail.com>
wrote:

> Would anyone happen to have any guides on how one could get through this
> process?  I'm a one-man IT shop at the moment, so I'm building up a
> tremendous amount of infrastructure at once.  I'm thinking that the option
> of creating a subCA with something simple like openssl would be the best
> option, but figuring out that process in a minimal amount of time is going
> to be tough.
>
> I'm going to try and give myself some reading assignments and push that
> forward, but if anyone happens to have a good handle on that
> process/commands/etc. and would be interesting in double a couple of hours
> of consulting to me, I would be very interested in listening provided we
> could come up with a reasonable rate/timeframe.  If anyone is interested,
> please contact me directly off-list.
>
> Thanks again.  These answers/ideas have been most helpful.
>
> On Fri, Feb 6, 2015 at 9:30 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 02/06/2015 12:53 AM, Christopher Young wrote:
>> > Obvious next question:  Any plans to implement that functionality or
>> advice
>> > on how one might get some level of functionality for this?  Would it be
>> > possible to create another command-line based openssl CA that could
>> issue
>> > these but using IPA as the root CA for those?
>>
>> As for FreeIPA plans, we plan to vastly improve our flexibility to process
>> certificates in next upstream version - FreeIPA 4.2. In next version, one
>> should be able to create other certificate profiles (from FreeIPA default
>> service cert profile) or even subCAs to do what you want.
>>
>> As for current workarounds, you would have to issue and sign a for
>> example NSS
>> or openssl based subCA and then sign user certs there. But I would leave
>> Fraser
>> or Jan to tell if this would be really possible.
>>
>> > I'm just trying to provide a solution for situations where we would
>> like to
>> > utilize client/user cert authentication for situations like secure
>> apache
>> > directory access as well as user VPN certificates.  Any advise or ideas
>> are
>> > great appreciated.
>> >
>> > Thanks again!
>> >
>> > On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden <rcritten at redhat.com>
>> wrote:
>> >
>> >> Christopher Young wrote:
>> >>> Some of this might be rudimentary, so I apologize if this is answered
>> >>> somewhere, though I've tried to search and have not had much luck...
>> >>>
>> >>> Basically,  I would like to be able to issue user certificates
>> (Subject:
>> >>> email=sblblabla at blabla.local) in order to use client SSL security on
>> >>> some things.  I'm very new to FreeIPA, but have worked with external
>> CAs
>> >>> in the past for similar requests, however this is my first entry into
>> >>> creating/running a localized CA within an organization.
>> >>
>> >> IPA doesn't issue user certificates yet, only server certificates.
>> >>
>> >>> I was wondering if this is possible via the command line, and if so,
>> how
>> >>> to go about submitting the request and receiving the certificate.  Any
>> >>> guidance or assistance would be greatly appreciated!
>> >>>
>> >>>
>> >>> Additionally, just as a matter of cleanliness, is there any way
>> possible
>> >>> to just completely wipe out the existence of a certificate/request
>> from
>> >>> FreeIPA.  I have done some trial-and-error and obviously have made
>> >>> mistakes that I'd prefer to clean up after.  I've revoked those certs,
>> >>> however the perfectionist in me hates seeing them there.  I'm quite
>> >>> certain the answer is 'no', but I thought I would ask anyway.
>> >>
>> >> Right, the answer is no. In fact it is a good thing that all
>> >> certificates are accounted for.
>> >>
>> >> rob
>> >>
>> >>
>> >
>> >
>> >
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150209/e0302bda/attachment.htm>

More information about the Freeipa-users mailing list