[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

bret.wortman at damascusgrp.com bret.wortman at damascusgrp.com
Fri Jun 3 18:41:08 UTC 2016 

I'll check and report back Tuesday.

Bret Wortman
http://wrapbuddies.co/


On Jun 3, 2016, 1:04 PM -0400, Rob Crittenden<rcritten at redhat.com>, wrote:
> Bret Wortman wrote:
> > 
> > 
> > On 06/03/2016 11:02 AM, Rob Crittenden wrote:
> > > Bret Wortman wrote:
> > > > I'm not sure I'd call what we have "success" just yet. ;-)
> > > > 
> > > > You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
> > > > see how we go.
> > > > 
> > > > Rob, would you have just used the existing "localhost.key" instead of
> > > > generating a new one?
> > > 
> > > No, I think you did the right thing, the default keysize was probably
> > > still 1024 in F21. I double-checked the getcert-request man page and
> > > it looks like it will use an existing key if one exists in the key
> > > file passed in so I was wrong about that bit. You just didn't need to
> > > use req to generate a CSR as certmonger will do that for you.
> > > 
> > Good to know.
> > 
> > I tried the update-ca-trust on both the yum server and on my workstation
> > but nothing changed even after an httpd restart. I did take a peek
> > inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and
> > didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but
> > I confess I'm not sure what should be where at this point).
> 
> You'd only need to do this on the machine acting as a client.
> 
> I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and trusted?
> 
> $ certutil -L -d /etc/pki/nssdb
> 
> rob
> 
> > 
> > 
> > Bret
> > 
> > > rob
> > > 
> > > > 
> > > > 
> > > > On 06/03/2016 09:48 AM, Rob Crittenden wrote:
> > > > > Bret Wortman wrote:
> > > > > > So for our internal yum server, I created a new key and cert
> > > > > > request (it
> > > > > > had a localhost key and cert but I wanted to start clean):
> > > > > > 
> > > > > > # openssl genrsa 2048>/etc/pki/tls/private/server.key
> > > > > > # openssl req -new -x509 -nodes -sha1 -days 365 -key
> > > > > > /etc/pki/tls/private/server.key>/etc/pki/tls/certs/server.crt
> > > > > > # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k
> > > > > > /etc/pki/tls/private/server.key -r
> > > > > 
> > > > > I try not to argue with success but I'd be curious what is actually
> > > > > going on here. You generate a CSR and call it a certificate. It is
> > > > > probably the case that certmonger is ignoring it altogether and
> > > > > generating its own CSR.
> > > > > 
> > > > > > ipa-getcert list shows it approved. I set up SSL in apache to use the
> > > > > > above .key and .crt, but when I try to run yum against this using ssl:
> > > > > > 
> > > > > > # yum search ffmpeg
> > > > > > Loaded plugins: langpacks
> > > > > > https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml:
> > > > > > 
> > > > > > 
> > > > > > [Errno 14] curl#60 - "Peer's certificate issuer has been marked as
> > > > > > not trusted by the user."
> > > > > > :
> > > > > > 
> > > > > > Is there a step I need to take on the clients so they'll accept this
> > > > > > cert as trusted? I thought having it be signed by the IPA CA would
> > > > > > have
> > > > > > taken care of that.
> > > > > > 
> > > > > > # ls -l /etc/ipa/ca.crt
> > > > > > -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt
> > > > > > #
> > > > > 
> > > > > Pretty much only IPA tools know to use this file.
> > > > > 
> > > > > My knowledge is a bit stale on adding the IPA CA to the global trust
> > > > > but I'm pretty sure it is done automatically now and I think it was in
> > > > > the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have
> > > > > this code.
> > > > > 
> > > > > Look at this,
> > > > > https://fedoraproject.org/wiki/Features/SharedSystemCertificates
> > > > > 
> > > > > The idea is to add the IPA CA to that and then all tools using SSL
> > > > > would "just work".
> > > > > 
> > > > > Something like:
> > > > > 
> > > > > # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
> > > > > # update-ca-trust
> > > > > 
> > > > > You'd need to remember to manually undo this if you ever redo your IPA
> > > > > install (and get a new CA):
> > > > > 
> > > > > # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
> > > > > # update-ca-trust
> > > > > 
> > > > > Like I said, I'm pretty sure this is all automatic in some more recent
> > > > > versions of IPA.
> > > > > 
> > > > > rob
> > > > > 
> > > > > > 
> > > > > > ---
> > > > > > Bret
> > > > > > 
> > > > > > On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote:
> > > > > > > Cool. I'll give this a go in the morning.
> > > > > > > 
> > > > > > > Bret Wortman
> > > > > > > http://wrapbuddies.co/
> > > > > > > 
> > > > > > > On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale<ftweedal at redhat.com>,
> > > > > > > wrote:
> > > > > > > > On Thu, Jun 02, 2016 at 05:35:01PM -0400,
> > > > > > > > bret.wortman at damascusgrp.com wrote:
> > > > > > > > > Sorry, let me back up a step. We need to implement hype
> > > > > > > > > everywhere. All our web services. And clients need to get
> > > > > > > > > keys&certs automatically whether through IPA or Puppet. These
> > > > > > > > > systems use IPA for everything but authentication (to keep most
> > > > > > > > > users off). I'm trying to wuss out the easiest way to make this
> > > > > > > > > happen smoothly.
> > > > > > > > > 
> > > > > > > > Hi Bret,
> > > > > > > > 
> > > > > > > > You can use the IPA CA to sign service certificates. See
> > > > > > > > http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
> > > > > > > > 
> > > > > > > > IPA-enrolled machines already have the IPA certificate in their
> > > > > > > > trust store. If the clients are IPA-enrolled, everything should
> > > > > > > > Just Work, otherwise you can distribute the IPA CA certificate to
> > > > > > > > clients via Puppet** or whatever means you prefer.
> > > > > > > > 
> > > > > > > > ** you will have to work out how, because I do not know Puppet :)
> > > > > > > > 
> > > > > > > > Cheers,
> > > > > > > > Fraser
> > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcritten at redhat.com>,
> > > > > > > > > wrote:
> > > > > > > > > > Bret Wortman wrote:
> > > > > > > > > > > Is it possible to use our freeipa CA as a trusted CA to sign our
> > > > > > > > > > > internal SSL certificates? Our system runs on a private network
> > > > > > > > > > > and so
> > > > > > > > > > > using the usual trusted sources isn't an option. We've been using
> > > > > > > > > > > self-signed, but that adds some additional complications and we
> > > > > > > > > > > thought
> > > > > > > > > > > this might be a good solution.
> > > > > > > > > > > 
> > > > > > > > > > > Is it possible, and, since most online guides defer to "submit
> > > > > > > > > > > the CSR
> > > > > > > > > > > to Verisign" or whomever, how would you go about producing one in
> > > > > > > > > > > this way?
> > > > > > > > > > 
> > > > > > > > > > Not sure I understand the question. The IPA CA is also
> > > > > > > > > > self-signed. For
> > > > > > > > > > enrolled systems though at least the CA is pre-distributed so
> > > > > > > > > > maybe
> > > > > > > > > > that
> > > > > > > > > > will help.
> > > > > > > > > > 
> > > > > > > > > > rob
> > > > > > > > > > 
> > > > > > > > 
> > > > > > > > > --
> > > > > > > > > Manage your subscription for the Freeipa-users mailing list:
> > > > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > > > > > > Go to http://freeipa.org for more info on the project
> > > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160603/bc523e8d/attachment.htm>

More information about the Freeipa-users mailing list