[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Rob Crittenden rcritten at redhat.com
Fri Jun 3 13:48:29 UTC 2016 

Bret Wortman wrote:
> So for our internal yum server, I created a new key and cert request (it
> had a localhost key and cert but I wanted to start clean):
>
>     # openssl genrsa 2048 > /etc/pki/tls/private/server.key
>     # openssl req -new -x509 -nodes -sha1 -days 365 -key
>     /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt
>     # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k
>     /etc/pki/tls/private/server.key -r

I try not to argue with success but I'd be curious what is actually 
going on here. You generate a CSR and call it a certificate. It is 
probably the case that certmonger is ignoring it altogether and 
generating its own CSR.

> ipa-getcert list shows it approved. I set up SSL in apache to use the
> above .key and .crt, but when I try to run yum against this using ssl:
>
>     # yum search ffmpeg
>     Loaded plugins: langpacks
>     https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml:
>     [Errno 14] curl#60 - "Peer's certificate issuer has been marked as
>     not trusted by the user."
>     :
>
> Is there a step I need to take on the clients so they'll accept this
> cert as trusted? I thought having it be signed by the IPA CA would have
> taken care of that.
>
>     # ls -l /etc/ipa/ca.crt
>     -rw-r--r-- 1 root root 2546 Apr 28  2014 /etc/ipa/ca.crt
>     #

Pretty much only IPA tools know to use this file.

My knowledge is a bit stale on adding the IPA CA to the global trust but 
I'm pretty sure it is done automatically now and I think it was in the 
4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have this code.

Look at this, 
https://fedoraproject.org/wiki/Features/SharedSystemCertificates

The idea is to add the IPA CA to that and then all tools using SSL would 
"just work".

Something like:

# cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
# update-ca-trust

You'd need to remember to manually undo this if you ever redo your IPA 
install (and get a new CA):

# rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
# update-ca-trust

Like I said, I'm pretty sure this is all automatic in some more recent 
versions of IPA.

rob

>
> ---
> Bret
>
> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote:
>> Cool. I'll give this a go in the morning.
>>
>> Bret Wortman
>> http://wrapbuddies.co/
>>
>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale <ftweedal at redhat.com>,
>> wrote:
>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400,
>>> bret.wortman at damascusgrp.com wrote:
>>>> Sorry, let me back up a step. We need to implement hype
>>>> everywhere. All our web services. And clients need to get
>>>> keys&certs automatically whether through IPA or Puppet. These
>>>> systems use IPA for everything but authentication (to keep most
>>>> users off). I'm trying to wuss out the easiest way to make this
>>>> happen smoothly.
>>>>
>>> Hi Bret,
>>>
>>> You can use the IPA CA to sign service certificates. See
>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
>>>
>>> IPA-enrolled machines already have the IPA certificate in their
>>> trust store. If the clients are IPA-enrolled, everything should
>>> Just Work, otherwise you can distribute the IPA CA certificate to
>>> clients via Puppet** or whatever means you prefer.
>>>
>>> ** you will have to work out how, because I do not know Puppet :)
>>>
>>> Cheers,
>>> Fraser
>>>
>>>>
>>>>
>>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcritten at redhat.com>,
>>>> wrote:
>>>>> Bret Wortman wrote:
>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our
>>>>>> internal SSL certificates? Our system runs on a private network and so
>>>>>> using the usual trusted sources isn't an option. We've been using
>>>>>> self-signed, but that adds some additional complications and we
>>>>>> thought
>>>>>> this might be a good solution.
>>>>>>
>>>>>> Is it possible, and, since most online guides defer to "submit the CSR
>>>>>> to Verisign" or whomever, how would you go about producing one in
>>>>>> this way?
>>>>>
>>>>> Not sure I understand the question. The IPA CA is also self-signed. For
>>>>> enrolled systems though at least the CA is pre-distributed so maybe
>>>>> that
>>>>> will help.
>>>>>
>>>>> rob
>>>>>
>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>
>
>

More information about the Freeipa-users mailing list