[Freeipa-users] Status on Sub-CAs for FreeIPA v4.2
Thibaut Pouzet
thibaut.pouzet at lyra-network.com
Mon Jun 1 14:12:02 UTC 2015
Hi,
I am currently trying to use FreeIPA to issue client certificates for
some internal application we have. (More precisely, SSL double
authentication between two of my applications, client side would be
java, server-side would be apache httpd.) I considered two options :
1. Issue client certificates directly from FreeIPA : It do not seems
that it's currently "supported". I can actually generate a client
certificate by creating a new principal for a host, and use ipa-getcert
to generate a certificate for it. However, this certificate is valid for
both user and server authentication, and I cannot change it.
Furthermore, I cannot change the CN of the certificate, it is the
server's hostname for which the pincipal has been generated. That's a
poor solution.
2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to
do whatever I want to do. I tried to use the dogtag profiles with the
ipa-getcert -T option, but the profiles were ignored when I tried to use
them. And I always got 'regular' certificates.
I did some research, and found this RFE :
http://www.freeipa.org/page/V4/Sub-CAs
And this Sub-CA notions seems to be perfect for what I want to do. When
I'm looking at the ticket, it seems that it is quietly sleeping
somewhere, remaining not updated.
I would love to see this feature in FreeIPA v4.2, has anyone a status on
this RFE and it's current status ?
Cheers,
--
Thibaut Pouzet
Lyra Network
Ingénieur Systèmes et Réseaux
(+33) 5 31 22 40 08
www.lyra-network.com
More information about the Freeipa-users
mailing list