[Freeipa-users] Status on Sub-CAs for FreeIPA v4.2

Tue Jun 2 00:37:30 UTC 2015

I, too, am very much in need of user certificates.  If it is possible to
setup an additional FreeIPA server to test this out, then I could help out
in testing the feature.  I obviously don't want to impact my production
environment too much, but it is rather stagnant, so if I can backup the
LDAP db every once in a while, that could work.   Otherwise, I could
possible find some time to set up another instance for testing.  I
definitely need this feature!  Thank you so much for working on it.

Chris

On Mon, Jun 1, 2015 at 6:34 PM, Fraser Tweedale <ftweedal at redhat.com> wrote:

> On Mon, Jun 01, 2015 at 05:19:20PM +0300, Alexander Bokovoy wrote:
> > On Mon, 01 Jun 2015, Thibaut Pouzet wrote:
> > >Hi,
> > >
> > >I am currently trying to use FreeIPA to issue client certificates for
> > >some internal application we have. (More precisely, SSL double
> > >authentication between two of my applications, client side would be
> > >java, server-side would be apache httpd.) I considered two options :
> > >
> > >1. Issue client certificates directly from FreeIPA : It do not seems
> > >that it's currently "supported". I can actually generate a client
> > >certificate by creating a new principal for a host, and use ipa-getcert
> > >to generate a certificate for it. However, this certificate is valid for
> > >both user and server authentication, and I cannot change it.
> > >Furthermore, I cannot change the CN of the certificate, it is the
> > >server's hostname for which the pincipal has been generated. That's a
> > >poor solution.
> > >
> > >
> > >2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to
> > >do whatever I want to do. I tried to use the dogtag profiles with the
> > >ipa-getcert -T option, but the profiles were ignored when I tried to use
> > >them. And I always got 'regular' certificates.
> > >
> > >I did some research, and found this RFE :
> > >http://www.freeipa.org/page/V4/Sub-CAs
> > >
> > >And this Sub-CA notions seems to be perfect for what I want to do. When
> > >I'm looking at the ticket, it seems that it is quietly sleeping
> > >somewhere, remaining not updated.
> > >
> > >I would love to see this feature in FreeIPA v4.2, has anyone a status on
> > >this RFE and it's current status ?
> > >
> Hi Thibaut,
>
> I'm working on user certificates, profiles and sub-CAs.  User
> certificates and custom profiles are a near-certainty to make 4.2.
> Sub-CAs will not make it into the alpha; hopefully I can finish the
> feature and squeeze it into 4.2 but it's a possibility that sub-CAs
> will arrive in a follow-up release.
>
> Would you be willing to help test all these features and provide
> feedback?  I will soon be preparing a COPR with test builds so if
> you would like to help in this way, I can help you get set up to do
> this.  I (we) would really appreciate your feedback.
>
> Cheers,
> Fraser
>
>
> > Design page is there, the work happens on freeipa-devel at . There are
> > multiple patches in the review process right now. If you are willing to
> > help with testing them, welcome to the development list.
> >
> > --
> > / Alexander Bokovoy
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150601/85acacdd/attachment.htm>