[Freeipa-users] Automatic IPA CA cert generation

James Masson james.masson at jmips.co.uk
Mon Sep 28 16:03:31 UTC 2015 


On 24/09/15 01:20, Fraser Tweedale wrote:
> On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote:
>>
>> On 23/09/15 11:03, Fraser Tweedale wrote:
>>> On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote:
>>>> On 22/09/15 17:02, James Masson wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> we're building IPAs in an automated fashion, for environments that get
>>>>> created and destroyed a lot. At the moment, the CA certs used inside
>>>>> these IPAs are self-signed, as part of the normal "ipa-server-install"
>>>>> setup process.
>>>>>
>>>>> We would like to switch to issuing signed intermediate CA certs to the
>>>>> IPAs we deploy.
>>>>>
>>>>> The documentation lists the two part process necessary for this. First
>>>>> "--external-ca" - and then "--external-cert-file"
>>>>>
>>>>> Are there any ways to skip this, and give the setup process a known
>>>>> public/private key+cert up front? I'm hoping to avoid the need to have
>>>>> to use/send this automatically generated CSR every time.
>>>>>
>>>>> thanks
>>>>>
>>>>> James M
>>>>>
>>>>
>>>> Hello James,
>>>> currently it's not possible but making installation with externally signed
>>>> CA single step sounds really useful to me.
>>>> Currently certmonger is generating the CSR for FreeIPA server in the first
>>>> step of installation. Certmonger is also able to send certificate to
>>>> external CA for signing.
>>>>
>>>> I'm not sure if we could combine these two cermonger's abilities right now
>>>> but if not it shouldn't be difficult to add functionality to certmonger to
>>>> send the CSR to preconfigured CA instead of just storing it in file.
>>>>
>>>> This would of course require configuring the certmonger with information
>>>> about the CA before FreeIPA server installation but it's just one command
>>>> (getcert-add-ca).
>>>>
>>>> Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
>>>>
>>> There are two sides to this - one is using Certmonger for automatic
>>> signing of intermediate CA certificate to be used by IPA, the other
>>> is simply using a CA cert that the administrator already possesses,
>>> e.g. in a PKCS #12 file.  These should be separate tickets.
>>>
>>> Cheers,
>>> Fraser
>>>
>>>> --
>>>> David Kupka
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>
>> Done -
>>
>> https://fedorahosted.org/freeipa/ticket/5317
>> https://fedorahosted.org/freeipa/ticket/5318
>>
>> Would it be possible to use Certmonger to help the 2 step process used at
>> the moment?
>>
>> ie. run 'ipa-server-install' the first time - get the CSR
>> use local Certmonger to handle the CSR submission to upstream CA
>> use the resulting Cert in the second 'ipa-server-install'
>>
>> Any pointers?
>>
>> regards
>>
>> James M
>>
> I don't see an option for certmonger to use an existing CSR but you
> could ask it to create and track a new CSR for the same key.  See
> getcert-request(1) for full details.
>
> Cheers,
> Fraser
>

Any hints of how to make a request via Certmonger that would keep IPA happy?

Looking at the CSR, the awkward bits are...

###
Requested Extensions:
   X509v3 Basic Constraints: critical
       CA:TRUE
   X509v3 Key Usage: critical
       Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
###

I presume this is done with...
   -U EXTUSAGE	set requested extended key usage OID

How do I convert the IPA CSR text output for use with Certmonger?

thanks

James M

More information about the Freeipa-users mailing list