[Freeipa-users] User certificate workflow
Fraser Tweedale
ftweedal at redhat.com
Wed Mar 16 00:21:03 UTC 2016
On Tue, Mar 15, 2016 at 09:39:12AM +0000, Alessandro De Maria wrote:
> Thank you Martin that's very helpful.
>
> The annoying thing about cut/paste from web ui is that the cert is not
> wrapped at 60 chars like it should be, but I guess I'll have to wait for
> the save certificate functionality.
> Any idea of then that's planned for?
>
> Regards
> Alessandro
>
Hi Alessandro,
The easiest way to get the cert is with the `ipa user-show` (if
it was saved to the IPA direct after issuance, which is controlled
by the `store` option Martin mentioned). E.g.:
ipa user-show alice --out=cert.pem
Which will save alice's certificate(s) to the file `cert.pem`.
If you copy the data from the web UI and save it to a file, the
following will convert it to PEM:
base64 -d < cert.txt | openssl x509 -inform DER > cert.pem
Finally, to configure a profile to issue certificates with a
validity of X days, the relevant profile configuration is:
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=X
policyset.serverCertSet.2.default.params.startTime=0
Replace `X` above with the desired lifetime in days. (Note that the
index (`2`, above) may be different for different profiles.)
Cheers,
Fraser
> On 15 March 2016 at 08:50, Martin Babinsky <mbabinsk at redhat.com> wrote:
>
> > On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
> >
> >> Hello,
> >>
> >> I would like to have authenticated users to upload a csr request and
> >> have their certificate automatically signed. Their certificate would
> >> expire in x days.
> >>
> >> Given the short life of the certificate, I would then like them to be
> >> able to easily download the certificate.
> >>
> >> Any suggestion on how to do it?
> >> I would prefer the shell script approach but also having it self
> >> serviced on the web ui would be great.
> >>
> >> Regards
> >>
> >>
> >> --
> >> Alessandro De Maria
> >> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
> >>
> >>
> >>
> > Hi Alessandro,
> >
> > for FreeIPA 4.2+ you can use the following links as a guide to set up a
> > custom profile and CA ACL rules so that users can request certificates for
> > themselves:
> >
> > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
> >
> > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
> >
> > The user then can generate CSR request e.g. using OpenSSL and use 'ipa
> > cert-request' to send it to IPA CA. If you specify 'store=True' when adding
> > the custom certificate profile, the certificate will be added to the user
> > entry as 'usercertificate;binary' attribute which he can view from
> > CLI/WebUI as PEM and save it to a file by copy-pasting it (The
> > functionality to save the certificate directly to a file is under
> > development).
> >
> > It should be possible to modify the certificate profile to restrict the
> > maximum validity of the issued certificate but I have no knowledge about
> > that. I have CC'ed Fraser Tweedale (the blog post author), he may help you
> > with this.
> >
> > --
> > Martin^3 Babinsky
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list