[Freeipa-users] [Import existing CA Cert]
Martin Kosek
mkosek at redhat.com
Wed Sep 23 08:51:54 UTC 2015
On 09/23/2015 10:05 AM, Michael Anderson wrote:
> Hi Martin,
>
> thanks for your reply.
>
> On 09/23/2015 09:07 AM, Martin Kosek wrote:
>> On 09/22/2015 12:41 PM, Michael Anderson wrote:
>>> Hi All,
>>>
>>> we're evaluation freeipa/dogtag as a pki management service and hoping to
>>> replace our existing menagerie of bash/openssl scripts. I'm trying to establish
>>> a migration path for our existing pki solution and have a few questions:
>> Hi Michael,
>>
>> Before you continue with the project, please keep in mind that FreeIPA PKI
>> capabilities are bound to the FreeIPA objects - i.e. users, hosts or services.
>> It does not allow you to generate completely random certificates (at the
>> moment).
>
> Does that mean that I can only generate certificates for hosts running the
> client software?
Well, you need at least the host object in FreeIPA, to be able to generate
certificate for it. It does not need to be effectively used.
> What I'd really like to be able to do is automate Apache/Nginx
> SSL cert generation for our dev/continuous-delivery infrastructure. So I'd like
> to have two or three signing CA's for dev, staging and prod and automate CSR
> creation, signing and deployment. Is this feasible with freeipa?
So the requirement here is to have different Sub-CA for these environments?
FreeIPA 4.2 cannot do Sub-CAs yet, this is work proposed for next release:
https://fedorahosted.org/freeipa/ticket/4559
BTW, this is how you can request renewable certificates for HTTP with FreeIPA:
http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
>>> '* how can I import and use our existing CA signing cert?
>>> * can I import existing server certs and keys?
>> Could you create FreeIPA server CA as subordinate CA to your current CA? To me,
>> it seems the easiest way as I do not think we have some nice CLIs to inject
>> existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they
>> have an idea.
>>
>> More here:
>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructurell
>
> With my current project I'll be rebuilding a lot of stuff, so starting fresh
> with a new freeipa-generated signing cert won't be such a problem. That said,
> it seems to me that the ability to import and use an existing signing cert
> would lower the adoption threshold for new users.
My point was that if FreeIPA is a subordinate CA, it should be still trusted by
your clients that would have already imported it's CA certificate.
>>> * I'm using Fedora22. When I install dogtag-pki, the user page for submitting
>>> csr's is available. But when I install the freeipa package, I get a 404 when
>>> attempting to access the page. Is this functionality available in freeipa?
>> When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting
>> and passing the certificates from/to user. I think the Dogtag UI should be
>> still somehow accessible, but is not the supported way.
>>
>> FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or
>> via certmonger (man ipa-getcert) component that even renews the certificate.
>>
>> BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI
>> related capabilities than older versions, for beginning Certificate Profiles,
>> which are a must if you do not want to use just single fixed cert profile.
>
> I'm using the version packaged with Fedora 22, 4.1.4
Ok. If you want to try the new FreeIPA 4.2 with Certificate Profiles on Fedora
22, there should be a COPR repo also:
https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/
>> More here:
>> http://www.freeipa.org/page/Releases/4.2.0
>>
>> Martin
>
More information about the Freeipa-users
mailing list