[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Rob Crittenden rcritten at redhat.com
Tue Jun 7 15:28:23 UTC 2016 

Bret Wortman wrote:
>
>
> On 06/03/2016 01:04 PM, Rob Crittenden wrote:
>> Bret Wortman wrote:
>>>
>>>
>>> On 06/03/2016 11:02 AM, Rob Crittenden wrote:
>>>> Bret Wortman wrote:
>>>>> I'm not sure I'd call what we have "success" just yet. ;-)
>>>>>
>>>>> You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
>>>>> see how we go.
>>>>>
>>>>> Rob, would you have just used the existing "localhost.key" instead of
>>>>> generating a new one?
>>>>
>>>> No, I think you did the right thing, the default keysize was probably
>>>> still 1024 in F21. I double-checked the getcert-request man page and
>>>> it looks like it will use an existing key if one exists in the key
>>>> file passed in so I was wrong about that bit. You just didn't need to
>>>> use req to generate a CSR as certmonger will do that for you.
>>>>
>>> Good to know.
>>>
>>> I tried the update-ca-trust on both the yum server and on my workstation
>>> but nothing changed even after an httpd restart. I did take a peek
>>> inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and
>>> didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but
>>> I confess I'm not sure what should be where at this point).
>>
>> You'd only need to do this on the machine acting as a client.
>>
>> I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and
>> trusted?
>>
>> $ certutil -L -d /etc/pki/nssdb
>
> It's in there on both the server and client.

Hmm, this works for me on an F-21 system. I created an empty repo, added 
a yum config and was able to fetch it ok.

yum uses libcurl under the hood, you might try the same certutil command 
using sql:/etc/pki/nssdb as the NSS database and add in the IPA CA to 
see if that helps. Again, it is only needed on the client.

rob

>
>> rob
>>
>>>
>>>
>>> Bret
>>>
>>>> rob
>>>>
>>>>>
>>>>>
>>>>> On 06/03/2016 09:48 AM, Rob Crittenden wrote:
>>>>>> Bret Wortman wrote:
>>>>>>> So for our internal yum server, I created a new key and cert
>>>>>>> request (it
>>>>>>> had a localhost key and cert but I wanted to start clean):
>>>>>>>
>>>>>>>     # openssl genrsa 2048 > /etc/pki/tls/private/server.key
>>>>>>>     # openssl req -new -x509 -nodes -sha1 -days 365 -key
>>>>>>>     /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt
>>>>>>>     # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k
>>>>>>>     /etc/pki/tls/private/server.key -r
>>>>>>
>>>>>> I try not to argue with success but I'd be curious what is actually
>>>>>> going on here. You generate a CSR and call it a certificate. It is
>>>>>> probably the case that certmonger is ignoring it altogether and
>>>>>> generating its own CSR.
>>>>>>
>>>>>>> ipa-getcert list shows it approved. I set up SSL in apache to use
>>>>>>> the
>>>>>>> above .key and .crt, but when I try to run yum against this using
>>>>>>> ssl:
>>>>>>>
>>>>>>>     # yum search ffmpeg
>>>>>>>     Loaded plugins: langpacks
>>>>>>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     [Errno 14] curl#60 - "Peer's certificate issuer has been
>>>>>>> marked as
>>>>>>>     not trusted by the user."
>>>>>>>     :
>>>>>>>
>>>>>>> Is there a step I need to take on the clients so they'll accept this
>>>>>>> cert as trusted? I thought having it be signed by the IPA CA would
>>>>>>> have
>>>>>>> taken care of that.
>>>>>>>
>>>>>>>     # ls -l /etc/ipa/ca.crt
>>>>>>>     -rw-r--r-- 1 root root 2546 Apr 28  2014 /etc/ipa/ca.crt
>>>>>>>     #
>>>>>>
>>>>>> Pretty much only IPA tools know to use this file.
>>>>>>
>>>>>> My knowledge is a bit stale on adding the IPA CA to the global trust
>>>>>> but I'm pretty sure it is done automatically now and I think it
>>>>>> was in
>>>>>> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have
>>>>>> this code.
>>>>>>
>>>>>> Look at this,
>>>>>> https://fedoraproject.org/wiki/Features/SharedSystemCertificates
>>>>>>
>>>>>> The idea is to add the IPA CA to that and then all tools using SSL
>>>>>> would "just work".
>>>>>>
>>>>>> Something like:
>>>>>>
>>>>>> # cp /etc/ipa/ca.crt
>>>>>> /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
>>>>>> # update-ca-trust
>>>>>>
>>>>>> You'd need to remember to manually undo this if you ever redo your
>>>>>> IPA
>>>>>> install (and get a new CA):
>>>>>>
>>>>>> # rm /etc/ipa/ca.crt
>>>>>> /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
>>>>>> # update-ca-trust
>>>>>>
>>>>>> Like I said, I'm pretty sure this is all automatic in some more
>>>>>> recent
>>>>>> versions of IPA.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>>
>>>>>>> ---
>>>>>>> Bret
>>>>>>>
>>>>>>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote:
>>>>>>>> Cool. I'll give this a go in the morning.
>>>>>>>>
>>>>>>>> Bret Wortman
>>>>>>>> http://wrapbuddies.co/
>>>>>>>>
>>>>>>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale
>>>>>>>> <ftweedal at redhat.com>,
>>>>>>>> wrote:
>>>>>>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400,
>>>>>>>>> bret.wortman at damascusgrp.com wrote:
>>>>>>>>>> Sorry, let me back up a step. We need to implement hype
>>>>>>>>>> everywhere. All our web services. And clients need to get
>>>>>>>>>> keys&certs automatically whether through IPA or Puppet. These
>>>>>>>>>> systems use IPA for everything but authentication (to keep most
>>>>>>>>>> users off). I'm trying to wuss out the easiest way to make this
>>>>>>>>>> happen smoothly.
>>>>>>>>>>
>>>>>>>>> Hi Bret,
>>>>>>>>>
>>>>>>>>> You can use the IPA CA to sign service certificates. See
>>>>>>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
>>>>>>>>>
>>>>>>>>> IPA-enrolled machines already have the IPA certificate in their
>>>>>>>>> trust store. If the clients are IPA-enrolled, everything should
>>>>>>>>> Just Work, otherwise you can distribute the IPA CA certificate to
>>>>>>>>> clients via Puppet** or whatever means you prefer.
>>>>>>>>>
>>>>>>>>> ** you will have to work out how, because I do not know Puppet :)
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Fraser
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob
>>>>>>>>>> Crittenden<rcritten at redhat.com>,
>>>>>>>>>> wrote:
>>>>>>>>>>> Bret Wortman wrote:
>>>>>>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign
>>>>>>>>>>>> our
>>>>>>>>>>>> internal SSL certificates? Our system runs on a private network
>>>>>>>>>>>> and so
>>>>>>>>>>>> using the usual trusted sources isn't an option. We've been
>>>>>>>>>>>> using
>>>>>>>>>>>> self-signed, but that adds some additional complications and we
>>>>>>>>>>>> thought
>>>>>>>>>>>> this might be a good solution.
>>>>>>>>>>>>
>>>>>>>>>>>> Is it possible, and, since most online guides defer to "submit
>>>>>>>>>>>> the CSR
>>>>>>>>>>>> to Verisign" or whomever, how would you go about producing
>>>>>>>>>>>> one in
>>>>>>>>>>>> this way?
>>>>>>>>>>>
>>>>>>>>>>> Not sure I understand the question. The IPA CA is also
>>>>>>>>>>> self-signed. For
>>>>>>>>>>> enrolled systems though at least the CA is pre-distributed so
>>>>>>>>>>> maybe
>>>>>>>>>>> that
>>>>>>>>>>> will help.
>>>>>>>>>>>
>>>>>>>>>>> rob
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the Freeipa-users mailing list