[Freeipa-users] verified certificates both sides of a TLS channel
Martin Kosek
mkosek at redhat.com
Fri Mar 6 13:05:09 UTC 2015
On 03/06/2015 01:16 PM, Dmitri Pal wrote:
> On 03/06/2015 04:32 AM, Martin Kosek wrote:
>> On 03/06/2015 09:34 AM, Andrew Holway wrote:
>>> Hi,
>>>
>>> Were using rabbitmq to shunt bits of data around various systems to provide
>>> better security we would like all of our acmq connections to be authenticated
>>> and encrypted.
>>>
>>> I'm looking for appropriate documentation or some friendly guidance of how
>>> server to server SSL authentication is done with freeipa and if indeed this is
>>> the best way to ensure privacy in such scenarios.
>>
>> These are the best documentation sources I could find:
>>
>> Creating certs for FreeIPA hosts:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html
>>
>>
>> Creating certs for FreeIPA hosts:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html
>>
>>
>> With these certificates, you would need to manually configure SSL-based
>> authentication with mod_ssl/mod_nss. Partially related user howto is
>> http://www.freeipa.org/page/Apache_SNI_With_Kerberos
>>
>> I wonder if RabbitMQ has GSSAPI support, that would be more easy to configure
>> with FreeIPA than SSL certs.
>>
>> Btw FreeIPA 4.2 plans to have much better support for different cert profiles
>> or sub-CAs that you may later use for purposes like this one.
>>
>> Ticket:
>> https://fedorahosted.org/freeipa/ticket/57
>>
>> CCing Fraser from Dogtag team for reference.
>>
>> Martin
>>
> What we still missing is the client side certs. So AFAIU we would be able to
> provide certs for one way authentication not two way yet.
> It is in works.
Couldn't the authentication be provided with service certs and current default
certificate profile?
This is the ticket for the client certificate work, it was missing:
https://fedorahosted.org/freeipa/ticket/4938
Martin
More information about the Freeipa-users
mailing list