[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Rob Crittenden rcritten at redhat.com
Fri Jun 3 17:04:15 UTC 2016 

Bret Wortman wrote:
>
>
> On 06/03/2016 11:02 AM, Rob Crittenden wrote:
>> Bret Wortman wrote:
>>> I'm not sure I'd call what we have "success" just yet. ;-)
>>>
>>> You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
>>> see how we go.
>>>
>>> Rob, would you have just used the existing "localhost.key" instead of
>>> generating a new one?
>>
>> No, I think you did the right thing, the default keysize was probably
>> still 1024 in F21. I double-checked the getcert-request man page and
>> it looks like it will use an existing key if one exists in the key
>> file passed in so I was wrong about that bit. You just didn't need to
>> use req to generate a CSR as certmonger will do that for you.
>>
> Good to know.
>
> I tried the update-ca-trust on both the yum server and on my workstation
> but nothing changed even after an httpd restart. I did take a peek
> inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and
> didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but
> I confess I'm not sure what should be where at this point).

You'd only need to do this on the machine acting as a client.

I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and trusted?

$ certutil -L -d /etc/pki/nssdb

rob

>
>
> Bret
>
>> rob
>>
>>>
>>>
>>> On 06/03/2016 09:48 AM, Rob Crittenden wrote:
>>>> Bret Wortman wrote:
>>>>> So for our internal yum server, I created a new key and cert
>>>>> request (it
>>>>> had a localhost key and cert but I wanted to start clean):
>>>>>
>>>>>     # openssl genrsa 2048 > /etc/pki/tls/private/server.key
>>>>>     # openssl req -new -x509 -nodes -sha1 -days 365 -key
>>>>>     /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt
>>>>>     # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k
>>>>>     /etc/pki/tls/private/server.key -r
>>>>
>>>> I try not to argue with success but I'd be curious what is actually
>>>> going on here. You generate a CSR and call it a certificate. It is
>>>> probably the case that certmonger is ignoring it altogether and
>>>> generating its own CSR.
>>>>
>>>>> ipa-getcert list shows it approved. I set up SSL in apache to use the
>>>>> above .key and .crt, but when I try to run yum against this using ssl:
>>>>>
>>>>>     # yum search ffmpeg
>>>>>     Loaded plugins: langpacks
>>>>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml:
>>>>>
>>>>>
>>>>>     [Errno 14] curl#60 - "Peer's certificate issuer has been marked as
>>>>>     not trusted by the user."
>>>>>     :
>>>>>
>>>>> Is there a step I need to take on the clients so they'll accept this
>>>>> cert as trusted? I thought having it be signed by the IPA CA would
>>>>> have
>>>>> taken care of that.
>>>>>
>>>>>     # ls -l /etc/ipa/ca.crt
>>>>>     -rw-r--r-- 1 root root 2546 Apr 28  2014 /etc/ipa/ca.crt
>>>>>     #
>>>>
>>>> Pretty much only IPA tools know to use this file.
>>>>
>>>> My knowledge is a bit stale on adding the IPA CA to the global trust
>>>> but I'm pretty sure it is done automatically now and I think it was in
>>>> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have
>>>> this code.
>>>>
>>>> Look at this,
>>>> https://fedoraproject.org/wiki/Features/SharedSystemCertificates
>>>>
>>>> The idea is to add the IPA CA to that and then all tools using SSL
>>>> would "just work".
>>>>
>>>> Something like:
>>>>
>>>> # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
>>>> # update-ca-trust
>>>>
>>>> You'd need to remember to manually undo this if you ever redo your IPA
>>>> install (and get a new CA):
>>>>
>>>> # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
>>>> # update-ca-trust
>>>>
>>>> Like I said, I'm pretty sure this is all automatic in some more recent
>>>> versions of IPA.
>>>>
>>>> rob
>>>>
>>>>>
>>>>> ---
>>>>> Bret
>>>>>
>>>>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote:
>>>>>> Cool. I'll give this a go in the morning.
>>>>>>
>>>>>> Bret Wortman
>>>>>> http://wrapbuddies.co/
>>>>>>
>>>>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale <ftweedal at redhat.com>,
>>>>>> wrote:
>>>>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400,
>>>>>>> bret.wortman at damascusgrp.com wrote:
>>>>>>>> Sorry, let me back up a step. We need to implement hype
>>>>>>>> everywhere. All our web services. And clients need to get
>>>>>>>> keys&certs automatically whether through IPA or Puppet. These
>>>>>>>> systems use IPA for everything but authentication (to keep most
>>>>>>>> users off). I'm trying to wuss out the easiest way to make this
>>>>>>>> happen smoothly.
>>>>>>>>
>>>>>>> Hi Bret,
>>>>>>>
>>>>>>> You can use the IPA CA to sign service certificates. See
>>>>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
>>>>>>>
>>>>>>> IPA-enrolled machines already have the IPA certificate in their
>>>>>>> trust store. If the clients are IPA-enrolled, everything should
>>>>>>> Just Work, otherwise you can distribute the IPA CA certificate to
>>>>>>> clients via Puppet** or whatever means you prefer.
>>>>>>>
>>>>>>> ** you will have to work out how, because I do not know Puppet :)
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Fraser
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcritten at redhat.com>,
>>>>>>>> wrote:
>>>>>>>>> Bret Wortman wrote:
>>>>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our
>>>>>>>>>> internal SSL certificates? Our system runs on a private network
>>>>>>>>>> and so
>>>>>>>>>> using the usual trusted sources isn't an option. We've been using
>>>>>>>>>> self-signed, but that adds some additional complications and we
>>>>>>>>>> thought
>>>>>>>>>> this might be a good solution.
>>>>>>>>>>
>>>>>>>>>> Is it possible, and, since most online guides defer to "submit
>>>>>>>>>> the CSR
>>>>>>>>>> to Verisign" or whomever, how would you go about producing one in
>>>>>>>>>> this way?
>>>>>>>>>
>>>>>>>>> Not sure I understand the question. The IPA CA is also
>>>>>>>>> self-signed. For
>>>>>>>>> enrolled systems though at least the CA is pre-distributed so
>>>>>>>>> maybe
>>>>>>>>> that
>>>>>>>>> will help.
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>>
>>>>>>>
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the Freeipa-users mailing list