[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Rob Crittenden rcritten at redhat.com
Fri Jun 3 15:02:15 UTC 2016 

Bret Wortman wrote:
> I'm not sure I'd call what we have "success" just yet. ;-)
>
> You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
> see how we go.
>
> Rob, would you have just used the existing "localhost.key" instead of
> generating a new one?

No, I think you did the right thing, the default keysize was probably 
still 1024 in F21. I double-checked the getcert-request man page and it 
looks like it will use an existing key if one exists in the key file 
passed in so I was wrong about that bit. You just didn't need to use req 
to generate a CSR as certmonger will do that for you.

rob

>
>
> On 06/03/2016 09:48 AM, Rob Crittenden wrote:
>> Bret Wortman wrote:
>>> So for our internal yum server, I created a new key and cert request (it
>>> had a localhost key and cert but I wanted to start clean):
>>>
>>>     # openssl genrsa 2048 > /etc/pki/tls/private/server.key
>>>     # openssl req -new -x509 -nodes -sha1 -days 365 -key
>>>     /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt
>>>     # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k
>>>     /etc/pki/tls/private/server.key -r
>>
>> I try not to argue with success but I'd be curious what is actually
>> going on here. You generate a CSR and call it a certificate. It is
>> probably the case that certmonger is ignoring it altogether and
>> generating its own CSR.
>>
>>> ipa-getcert list shows it approved. I set up SSL in apache to use the
>>> above .key and .crt, but when I try to run yum against this using ssl:
>>>
>>>     # yum search ffmpeg
>>>     Loaded plugins: langpacks
>>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml:
>>>
>>>     [Errno 14] curl#60 - "Peer's certificate issuer has been marked as
>>>     not trusted by the user."
>>>     :
>>>
>>> Is there a step I need to take on the clients so they'll accept this
>>> cert as trusted? I thought having it be signed by the IPA CA would have
>>> taken care of that.
>>>
>>>     # ls -l /etc/ipa/ca.crt
>>>     -rw-r--r-- 1 root root 2546 Apr 28  2014 /etc/ipa/ca.crt
>>>     #
>>
>> Pretty much only IPA tools know to use this file.
>>
>> My knowledge is a bit stale on adding the IPA CA to the global trust
>> but I'm pretty sure it is done automatically now and I think it was in
>> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have
>> this code.
>>
>> Look at this,
>> https://fedoraproject.org/wiki/Features/SharedSystemCertificates
>>
>> The idea is to add the IPA CA to that and then all tools using SSL
>> would "just work".
>>
>> Something like:
>>
>> # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
>> # update-ca-trust
>>
>> You'd need to remember to manually undo this if you ever redo your IPA
>> install (and get a new CA):
>>
>> # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
>> # update-ca-trust
>>
>> Like I said, I'm pretty sure this is all automatic in some more recent
>> versions of IPA.
>>
>> rob
>>
>>>
>>> ---
>>> Bret
>>>
>>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote:
>>>> Cool. I'll give this a go in the morning.
>>>>
>>>> Bret Wortman
>>>> http://wrapbuddies.co/
>>>>
>>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale <ftweedal at redhat.com>,
>>>> wrote:
>>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400,
>>>>> bret.wortman at damascusgrp.com wrote:
>>>>>> Sorry, let me back up a step. We need to implement hype
>>>>>> everywhere. All our web services. And clients need to get
>>>>>> keys&certs automatically whether through IPA or Puppet. These
>>>>>> systems use IPA for everything but authentication (to keep most
>>>>>> users off). I'm trying to wuss out the easiest way to make this
>>>>>> happen smoothly.
>>>>>>
>>>>> Hi Bret,
>>>>>
>>>>> You can use the IPA CA to sign service certificates. See
>>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
>>>>>
>>>>> IPA-enrolled machines already have the IPA certificate in their
>>>>> trust store. If the clients are IPA-enrolled, everything should
>>>>> Just Work, otherwise you can distribute the IPA CA certificate to
>>>>> clients via Puppet** or whatever means you prefer.
>>>>>
>>>>> ** you will have to work out how, because I do not know Puppet :)
>>>>>
>>>>> Cheers,
>>>>> Fraser
>>>>>
>>>>>>
>>>>>>
>>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcritten at redhat.com>,
>>>>>> wrote:
>>>>>>> Bret Wortman wrote:
>>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our
>>>>>>>> internal SSL certificates? Our system runs on a private network
>>>>>>>> and so
>>>>>>>> using the usual trusted sources isn't an option. We've been using
>>>>>>>> self-signed, but that adds some additional complications and we
>>>>>>>> thought
>>>>>>>> this might be a good solution.
>>>>>>>>
>>>>>>>> Is it possible, and, since most online guides defer to "submit
>>>>>>>> the CSR
>>>>>>>> to Verisign" or whomever, how would you go about producing one in
>>>>>>>> this way?
>>>>>>>
>>>>>>> Not sure I understand the question. The IPA CA is also
>>>>>>> self-signed. For
>>>>>>> enrolled systems though at least the CA is pre-distributed so maybe
>>>>>>> that
>>>>>>> will help.
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>

More information about the Freeipa-users mailing list