[Freeipa-users] Certmonger (or similar) for FreeBSD?

Rob Crittenden rcritten at redhat.com
Tue Oct 25 10:01:31 UTC 2016 

David Kupka wrote:
> On 24/10/16 19:26, Gilbert Wilson wrote:
>>
>>> On Oct 24, 2016, at 5:51 AM, David Kupka <dkupka at redhat.com> wrote:
>>>
>>> On 22/10/16 00:15, Gilbert Wilson wrote:
>>>> We have a lot of FreeBSD systems that I would like to streamline
>>>> certificate issuance and renewal. Ideally, we could leverage our
>>>> FreeIPA system's CA to do this. But, certmonger doesn't run on
>>>> FreeBSD (or does it?). What other means have other people tried, or
>>>> would you recommend investigating, to enable automated certificate
>>>> issuance and renewal for FreeBSD FreeIPA clients?
>>>>
>>>> Any pointers are appreciated!
>>>>
>>>> Gil
>>>>
>>>
>>> Hello Gil!
>>>
>>> I've very limited experiences with *BSD systems so the question may
>>> be completely off.
>>> Have you tried to install and run certmonger using FreeBSD's Linux
>>> Binary Compatibility [1]? Though I don't know what are the
>>> limitations or possible issues it could be a way.
>>>
>>> [1] http://www.freebsd.cz/doc/handbook/linuxemu.html
>>>
>>> --
>>> David Kupka
>>
>>
>> You know… I haven’t ever tried LBC! I suppose it’s worth a sacrificial
>> virtual machine to see if it works. It also occurred to me that
>> FreeIPA might have some sort of API given the web interface, and sure
>> enough that made the Google-fu turn up more useful results.
>>
>> *
>> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
>> *
>> https://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
>>
>> *
>> http://www.admin-magazine.com/Archive/2016/34/A-REST-interface-for-FreeIPA
>>
>>
>> There doesn’t appear to be a manual for the API but those examples
>> seem to “show the way”. My initial thought is to create a script that
>> uses kinit with a keytab to authenticate against FreeIPA and then
>> create/renew permissible certificates for the system before they
>> expire. This seems reasonable since the certificate creation/renewal
>> is the scope of what I’m interested in doing. Do you see any reason
>> not to do it this way or have any other alternative suggestions?
>> Another way to think about it, perhaps, is what would you do on a
>> Linux system if you didn’t have access to the FreeIPA client or
>> certmonger?
>>
>> Thanks for the pointer/reminder about LBC!
>>
>> Gil
>>
>>
>>
>
> You're right, FreeIPA has JSON RPC API. It's used in WebUI and also in
> 'ipa' CLI. If you've FreeIPA server 4.2 and above there's API Browser in
> WebUI (IPA Server - API Browser). There you can find all commands and
> their parameters.
> Just obligatory disclaimer, talking directly to the API is not
> officially supported. This means that the API can change in future
> versions.
>
> Good luck!

And this is sort of reinventing the wheel. certmonger uses the API already.

Have you tried building certmonger on BSD? It should be pretty portable 
C code, it just might require installing additional dependencies like 
libcurl (with GSSAPI support) and probably a few others.

You'd also need to manually configure Kerberos, get a keytab for it and 
create a basic /etc/ipa/default.conf.

rob
rob

More information about the Freeipa-users mailing list