[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Bret Wortman bret.wortman at damascusgrp.com
Fri Jun 3 14:57:35 UTC 2016 

I'm not sure I'd call what we have "success" just yet. ;-)

You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and 
see how we go.

Rob, would you have just used the existing "localhost.key" instead of 
generating a new one?


On 06/03/2016 09:48 AM, Rob Crittenden wrote:
> Bret Wortman wrote:
>> So for our internal yum server, I created a new key and cert request (it
>> had a localhost key and cert but I wanted to start clean):
>>
>>     # openssl genrsa 2048 > /etc/pki/tls/private/server.key
>>     # openssl req -new -x509 -nodes -sha1 -days 365 -key
>>     /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt
>>     # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k
>>     /etc/pki/tls/private/server.key -r
>
> I try not to argue with success but I'd be curious what is actually 
> going on here. You generate a CSR and call it a certificate. It is 
> probably the case that certmonger is ignoring it altogether and 
> generating its own CSR.
>
>> ipa-getcert list shows it approved. I set up SSL in apache to use the
>> above .key and .crt, but when I try to run yum against this using ssl:
>>
>>     # yum search ffmpeg
>>     Loaded plugins: langpacks
>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml:
>>     [Errno 14] curl#60 - "Peer's certificate issuer has been marked as
>>     not trusted by the user."
>>     :
>>
>> Is there a step I need to take on the clients so they'll accept this
>> cert as trusted? I thought having it be signed by the IPA CA would have
>> taken care of that.
>>
>>     # ls -l /etc/ipa/ca.crt
>>     -rw-r--r-- 1 root root 2546 Apr 28  2014 /etc/ipa/ca.crt
>>     #
>
> Pretty much only IPA tools know to use this file.
>
> My knowledge is a bit stale on adding the IPA CA to the global trust 
> but I'm pretty sure it is done automatically now and I think it was in 
> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have 
> this code.
>
> Look at this, 
> https://fedoraproject.org/wiki/Features/SharedSystemCertificates
>
> The idea is to add the IPA CA to that and then all tools using SSL 
> would "just work".
>
> Something like:
>
> # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
> # update-ca-trust
>
> You'd need to remember to manually undo this if you ever redo your IPA 
> install (and get a new CA):
>
> # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
> # update-ca-trust
>
> Like I said, I'm pretty sure this is all automatic in some more recent 
> versions of IPA.
>
> rob
>
>>
>> ---
>> Bret
>>
>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote:
>>> Cool. I'll give this a go in the morning.
>>>
>>> Bret Wortman
>>> http://wrapbuddies.co/
>>>
>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale <ftweedal at redhat.com>,
>>> wrote:
>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400,
>>>> bret.wortman at damascusgrp.com wrote:
>>>>> Sorry, let me back up a step. We need to implement hype
>>>>> everywhere. All our web services. And clients need to get
>>>>> keys&certs automatically whether through IPA or Puppet. These
>>>>> systems use IPA for everything but authentication (to keep most
>>>>> users off). I'm trying to wuss out the easiest way to make this
>>>>> happen smoothly.
>>>>>
>>>> Hi Bret,
>>>>
>>>> You can use the IPA CA to sign service certificates. See
>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
>>>>
>>>> IPA-enrolled machines already have the IPA certificate in their
>>>> trust store. If the clients are IPA-enrolled, everything should
>>>> Just Work, otherwise you can distribute the IPA CA certificate to
>>>> clients via Puppet** or whatever means you prefer.
>>>>
>>>> ** you will have to work out how, because I do not know Puppet :)
>>>>
>>>> Cheers,
>>>> Fraser
>>>>
>>>>>
>>>>>
>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcritten at redhat.com>,
>>>>> wrote:
>>>>>> Bret Wortman wrote:
>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our
>>>>>>> internal SSL certificates? Our system runs on a private network 
>>>>>>> and so
>>>>>>> using the usual trusted sources isn't an option. We've been using
>>>>>>> self-signed, but that adds some additional complications and we
>>>>>>> thought
>>>>>>> this might be a good solution.
>>>>>>>
>>>>>>> Is it possible, and, since most online guides defer to "submit 
>>>>>>> the CSR
>>>>>>> to Verisign" or whomever, how would you go about producing one in
>>>>>>> this way?
>>>>>>
>>>>>> Not sure I understand the question. The IPA CA is also 
>>>>>> self-signed. For
>>>>>> enrolled systems though at least the CA is pre-distributed so maybe
>>>>>> that
>>>>>> will help.
>>>>>>
>>>>>> rob
>>>>>>
>>>>
>>>>> -- 
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>
>>
>>
>

More information about the Freeipa-users mailing list