[Freeipa-users] Certmonger (or similar) for FreeBSD?

David Kupka dkupka at redhat.com
Tue Oct 25 05:50:05 UTC 2016 

On 24/10/16 19:26, Gilbert Wilson wrote:
>
>> On Oct 24, 2016, at 5:51 AM, David Kupka <dkupka at redhat.com> wrote:
>>
>> On 22/10/16 00:15, Gilbert Wilson wrote:
>>> We have a lot of FreeBSD systems that I would like to streamline certificate issuance and renewal. Ideally, we could leverage our FreeIPA system's CA to do this. But, certmonger doesn't run on FreeBSD (or does it?). What other means have other people tried, or would you recommend investigating, to enable automated certificate issuance and renewal for FreeBSD FreeIPA clients?
>>>
>>> Any pointers are appreciated!
>>>
>>> Gil
>>>
>>
>> Hello Gil!
>>
>> I've very limited experiences with *BSD systems so the question may be completely off.
>> Have you tried to install and run certmonger using FreeBSD's Linux Binary Compatibility [1]? Though I don't know what are the limitations or possible issues it could be a way.
>>
>> [1] http://www.freebsd.cz/doc/handbook/linuxemu.html
>>
>> --
>> David Kupka
>
>
> You know… I haven’t ever tried LBC! I suppose it’s worth a sacrificial virtual machine to see if it works. It also occurred to me that FreeIPA might have some sort of API given the web interface, and sure enough that made the Google-fu turn up more useful results.
>
> * https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
> * https://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
> * http://www.admin-magazine.com/Archive/2016/34/A-REST-interface-for-FreeIPA
>
> There doesn’t appear to be a manual for the API but those examples seem to “show the way”. My initial thought is to create a script that uses kinit with a keytab to authenticate against FreeIPA and then create/renew permissible certificates for the system before they expire. This seems reasonable since the certificate creation/renewal is the scope of what I’m interested in doing. Do you see any reason not to do it this way or have any other alternative suggestions? Another way to think about it, perhaps, is what would you do on a Linux system if you didn’t have access to the FreeIPA client or certmonger?
>
> Thanks for the pointer/reminder about LBC!
>
> Gil
>
>
>

You're right, FreeIPA has JSON RPC API. It's used in WebUI and also in 
'ipa' CLI. If you've FreeIPA server 4.2 and above there's API Browser in 
WebUI (IPA Server - API Browser). There you can find all commands and 
their parameters.
Just obligatory disclaimer, talking directly to the API is not 
officially supported. This means that the API can change in future versions.

Good luck!
-- 
David Kupka

More information about the Freeipa-users mailing list