[Freeipa-users] User certificate workflow
Martin Babinsky
mbabinsk at redhat.com
Tue Mar 15 08:50:06 UTC 2016
On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
> Hello,
>
> I would like to have authenticated users to upload a csr request and
> have their certificate automatically signed. Their certificate would
> expire in x days.
>
> Given the short life of the certificate, I would then like them to be
> able to easily download the certificate.
>
> Any suggestion on how to do it?
> I would prefer the shell script approach but also having it self
> serviced on the web ui would be great.
>
> Regards
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>
>
Hi Alessandro,
for FreeIPA 4.2+ you can use the following links as a guide to set up a
custom profile and CA ACL rules so that users can request certificates
for themselves:
http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
The user then can generate CSR request e.g. using OpenSSL and use 'ipa
cert-request' to send it to IPA CA. If you specify 'store=True' when
adding the custom certificate profile, the certificate will be added to
the user entry as 'usercertificate;binary' attribute which he can view
from CLI/WebUI as PEM and save it to a file by copy-pasting it (The
functionality to save the certificate directly to a file is under
development).
It should be possible to modify the certificate profile to restrict the
maximum validity of the issued certificate but I have no knowledge about
that. I have CC'ed Fraser Tweedale (the blog post author), he may help
you with this.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list