[Freeipa-users] User certificate workflow
Alessandro De Maria
alessandro.demaria at gmail.com
Tue Mar 15 09:39:12 UTC 2016
Thank you Martin that's very helpful.
The annoying thing about cut/paste from web ui is that the cert is not
wrapped at 60 chars like it should be, but I guess I'll have to wait for
the save certificate functionality.
Any idea of then that's planned for?
Regards
Alessandro
On 15 March 2016 at 08:50, Martin Babinsky <mbabinsk at redhat.com> wrote:
> On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
>
>> Hello,
>>
>> I would like to have authenticated users to upload a csr request and
>> have their certificate automatically signed. Their certificate would
>> expire in x days.
>>
>> Given the short life of the certificate, I would then like them to be
>> able to easily download the certificate.
>>
>> Any suggestion on how to do it?
>> I would prefer the shell script approach but also having it self
>> serviced on the web ui would be great.
>>
>> Regards
>>
>>
>> --
>> Alessandro De Maria
>> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>>
>>
>>
> Hi Alessandro,
>
> for FreeIPA 4.2+ you can use the following links as a guide to set up a
> custom profile and CA ACL rules so that users can request certificates for
> themselves:
>
> http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
>
> https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
>
> The user then can generate CSR request e.g. using OpenSSL and use 'ipa
> cert-request' to send it to IPA CA. If you specify 'store=True' when adding
> the custom certificate profile, the certificate will be added to the user
> entry as 'usercertificate;binary' attribute which he can view from
> CLI/WebUI as PEM and save it to a file by copy-pasting it (The
> functionality to save the certificate directly to a file is under
> development).
>
> It should be possible to modify the certificate profile to restrict the
> maximum validity of the issued certificate but I have no knowledge about
> that. I have CC'ed Fraser Tweedale (the blog post author), he may help you
> with this.
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Alessandro De Maria
alessandro.demaria at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160315/53f45e33/attachment.htm>
More information about the Freeipa-users
mailing list