[Freeipa-users] User certificate workflow

Alessandro De Maria alessandro.demaria at gmail.com
Wed Mar 16 11:37:54 UTC 2016 

Fantastic thank you!
On 16 Mar 2016 12:21 a.m., "Fraser Tweedale" <ftweedal at redhat.com> wrote:

> On Tue, Mar 15, 2016 at 09:39:12AM +0000, Alessandro De Maria wrote:
> > Thank you Martin that's very helpful.
> >
> > The annoying thing about cut/paste from web ui is that the cert is not
> > wrapped at 60 chars like it should be, but I guess I'll have to wait for
> > the save certificate functionality.
> > Any idea of then that's planned for?
> >
> > Regards
> > Alessandro
> >
> Hi Alessandro,
>
> The easiest way to get the cert is with the `ipa user-show` (if
> it was saved to the IPA direct after issuance, which is controlled
> by the `store` option Martin mentioned). E.g.:
>
>     ipa user-show alice --out=cert.pem
>
> Which will save alice's certificate(s) to the file `cert.pem`.
>
> If you copy the data from the web UI and save it to a file, the
> following will convert it to PEM:
>
>     base64 -d < cert.txt | openssl x509 -inform DER > cert.pem
>
> Finally, to configure a profile to issue certificates with a
> validity of X days, the relevant profile configuration is:
>
>     policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
>     policyset.serverCertSet.2.constraint.name=Validity Constraint
>     policyset.serverCertSet.2.constraint.params.range=740
>     policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
>     policyset.serverCertSet.2.constraint.params.notAfterCheck=false
>     policyset.serverCertSet.2.default.class_id=validityDefaultImpl
>     policyset.serverCertSet.2.default.name=Validity Default
>     policyset.serverCertSet.2.default.params.range=X
>     policyset.serverCertSet.2.default.params.startTime=0
>
> Replace `X` above with the desired lifetime in days.  (Note that the
> index (`2`, above) may be different for different profiles.)
>
> Cheers,
> Fraser
>
> > On 15 March 2016 at 08:50, Martin Babinsky <mbabinsk at redhat.com> wrote:
> >
> > > On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
> > >
> > >> Hello,
> > >>
> > >> I would like to have authenticated users to upload a csr request and
> > >> have their certificate automatically signed. Their certificate would
> > >> expire in x days.
> > >>
> > >> Given the short life of the certificate, I would then like them to be
> > >> able to easily download the certificate.
> > >>
> > >> Any suggestion on how to do it?
> > >> I would prefer the shell script approach but also having it self
> > >> serviced on the web ui would be great.
> > >>
> > >> Regards
> > >>
> > >>
> > >> --
> > >> Alessandro De Maria
> > >> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
> > >>
> > >>
> > >>
> > > Hi Alessandro,
> > >
> > > for FreeIPA 4.2+ you can use the following links as a guide to set up a
> > > custom profile and CA ACL rules so that users can request certificates
> for
> > > themselves:
> > >
> > > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
> > >
> > >
> https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
> > >
> > > The user then can generate CSR request e.g. using OpenSSL and use 'ipa
> > > cert-request' to send it to IPA CA. If you specify 'store=True' when
> adding
> > > the custom certificate profile, the certificate will be added to the
> user
> > > entry as 'usercertificate;binary' attribute which he can view from
> > > CLI/WebUI as PEM and save it to a file by copy-pasting it (The
> > > functionality to save the certificate directly to a file is under
> > > development).
> > >
> > > It should be possible to modify the certificate profile to restrict the
> > > maximum validity of the issued certificate but I have no knowledge
> about
> > > that. I have CC'ed Fraser Tweedale (the blog post author), he may help
> you
> > > with this.
> > >
> > > --
> > > Martin^3 Babinsky
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
> >
> >
> >
> > --
> > Alessandro De Maria
> > alessandro.demaria at gmail.com
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160316/a5e44c49/attachment.htm>

More information about the Freeipa-users mailing list