[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Bret Wortman bret.wortman at damascusgrp.com
Tue Jun 7 10:07:36 UTC 2016 


On 06/03/2016 01:04 PM, Rob Crittenden wrote:
> Bret Wortman wrote:
>>
>>
>> On 06/03/2016 11:02 AM, Rob Crittenden wrote:
>>> Bret Wortman wrote:
>>>> I'm not sure I'd call what we have "success" just yet. ;-)
>>>>
>>>> You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
>>>> see how we go.
>>>>
>>>> Rob, would you have just used the existing "localhost.key" instead of
>>>> generating a new one?
>>>
>>> No, I think you did the right thing, the default keysize was probably
>>> still 1024 in F21. I double-checked the getcert-request man page and
>>> it looks like it will use an existing key if one exists in the key
>>> file passed in so I was wrong about that bit. You just didn't need to
>>> use req to generate a CSR as certmonger will do that for you.
>>>
>> Good to know.
>>
>> I tried the update-ca-trust on both the yum server and on my workstation
>> but nothing changed even after an httpd restart. I did take a peek
>> inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and
>> didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but
>> I confess I'm not sure what should be where at this point).
>
> You'd only need to do this on the machine acting as a client.
>
> I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and 
> trusted?
>
> $ certutil -L -d /etc/pki/nssdb

It's in there on both the server and client.

> rob
>
>>
>>
>> Bret
>>
>>> rob
>>>
>>>>
>>>>
>>>> On 06/03/2016 09:48 AM, Rob Crittenden wrote:
>>>>> Bret Wortman wrote:
>>>>>> So for our internal yum server, I created a new key and cert
>>>>>> request (it
>>>>>> had a localhost key and cert but I wanted to start clean):
>>>>>>
>>>>>>     # openssl genrsa 2048 > /etc/pki/tls/private/server.key
>>>>>>     # openssl req -new -x509 -nodes -sha1 -days 365 -key
>>>>>>     /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt
>>>>>>     # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k
>>>>>>     /etc/pki/tls/private/server.key -r
>>>>>
>>>>> I try not to argue with success but I'd be curious what is actually
>>>>> going on here. You generate a CSR and call it a certificate. It is
>>>>> probably the case that certmonger is ignoring it altogether and
>>>>> generating its own CSR.
>>>>>
>>>>>> ipa-getcert list shows it approved. I set up SSL in apache to use 
>>>>>> the
>>>>>> above .key and .crt, but when I try to run yum against this using 
>>>>>> ssl:
>>>>>>
>>>>>>     # yum search ffmpeg
>>>>>>     Loaded plugins: langpacks
>>>>>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: 
>>>>>>
>>>>>>
>>>>>>
>>>>>>     [Errno 14] curl#60 - "Peer's certificate issuer has been 
>>>>>> marked as
>>>>>>     not trusted by the user."
>>>>>>     :
>>>>>>
>>>>>> Is there a step I need to take on the clients so they'll accept this
>>>>>> cert as trusted? I thought having it be signed by the IPA CA would
>>>>>> have
>>>>>> taken care of that.
>>>>>>
>>>>>>     # ls -l /etc/ipa/ca.crt
>>>>>>     -rw-r--r-- 1 root root 2546 Apr 28  2014 /etc/ipa/ca.crt
>>>>>>     #
>>>>>
>>>>> Pretty much only IPA tools know to use this file.
>>>>>
>>>>> My knowledge is a bit stale on adding the IPA CA to the global trust
>>>>> but I'm pretty sure it is done automatically now and I think it 
>>>>> was in
>>>>> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have
>>>>> this code.
>>>>>
>>>>> Look at this,
>>>>> https://fedoraproject.org/wiki/Features/SharedSystemCertificates
>>>>>
>>>>> The idea is to add the IPA CA to that and then all tools using SSL
>>>>> would "just work".
>>>>>
>>>>> Something like:
>>>>>
>>>>> # cp /etc/ipa/ca.crt 
>>>>> /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
>>>>> # update-ca-trust
>>>>>
>>>>> You'd need to remember to manually undo this if you ever redo your 
>>>>> IPA
>>>>> install (and get a new CA):
>>>>>
>>>>> # rm /etc/ipa/ca.crt 
>>>>> /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
>>>>> # update-ca-trust
>>>>>
>>>>> Like I said, I'm pretty sure this is all automatic in some more 
>>>>> recent
>>>>> versions of IPA.
>>>>>
>>>>> rob
>>>>>
>>>>>>
>>>>>> ---
>>>>>> Bret
>>>>>>
>>>>>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote:
>>>>>>> Cool. I'll give this a go in the morning.
>>>>>>>
>>>>>>> Bret Wortman
>>>>>>> http://wrapbuddies.co/
>>>>>>>
>>>>>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale 
>>>>>>> <ftweedal at redhat.com>,
>>>>>>> wrote:
>>>>>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400,
>>>>>>>> bret.wortman at damascusgrp.com wrote:
>>>>>>>>> Sorry, let me back up a step. We need to implement hype
>>>>>>>>> everywhere. All our web services. And clients need to get
>>>>>>>>> keys&certs automatically whether through IPA or Puppet. These
>>>>>>>>> systems use IPA for everything but authentication (to keep most
>>>>>>>>> users off). I'm trying to wuss out the easiest way to make this
>>>>>>>>> happen smoothly.
>>>>>>>>>
>>>>>>>> Hi Bret,
>>>>>>>>
>>>>>>>> You can use the IPA CA to sign service certificates. See
>>>>>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
>>>>>>>>
>>>>>>>> IPA-enrolled machines already have the IPA certificate in their
>>>>>>>> trust store. If the clients are IPA-enrolled, everything should
>>>>>>>> Just Work, otherwise you can distribute the IPA CA certificate to
>>>>>>>> clients via Puppet** or whatever means you prefer.
>>>>>>>>
>>>>>>>> ** you will have to work out how, because I do not know Puppet :)
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Fraser
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob 
>>>>>>>>> Crittenden<rcritten at redhat.com>,
>>>>>>>>> wrote:
>>>>>>>>>> Bret Wortman wrote:
>>>>>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign 
>>>>>>>>>>> our
>>>>>>>>>>> internal SSL certificates? Our system runs on a private network
>>>>>>>>>>> and so
>>>>>>>>>>> using the usual trusted sources isn't an option. We've been 
>>>>>>>>>>> using
>>>>>>>>>>> self-signed, but that adds some additional complications and we
>>>>>>>>>>> thought
>>>>>>>>>>> this might be a good solution.
>>>>>>>>>>>
>>>>>>>>>>> Is it possible, and, since most online guides defer to "submit
>>>>>>>>>>> the CSR
>>>>>>>>>>> to Verisign" or whomever, how would you go about producing 
>>>>>>>>>>> one in
>>>>>>>>>>> this way?
>>>>>>>>>>
>>>>>>>>>> Not sure I understand the question. The IPA CA is also
>>>>>>>>>> self-signed. For
>>>>>>>>>> enrolled systems though at least the CA is pre-distributed so
>>>>>>>>>> maybe
>>>>>>>>>> that
>>>>>>>>>> will help.
>>>>>>>>>>
>>>>>>>>>> rob
>>>>>>>>>>
>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the Freeipa-users mailing list