On 1 April 2015 at 20:02, Nalin Dahyabhai <na...@redhat.com> wrote: > On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: > > I understand from previous discussions that client certificates are not > yet > > supported in FreeIPA, instead I understand one can use "service > > certificates". From an OpenVPN standpoint I'm guessing this is fine > because > > a vpn client can be entered in Freeipa as a client and a certificate > > generated for it. This might actually be a preferred model for VPN. > > > > My OVPN server config looks like this: > > ca ca.crt > > cert server.crt > > key server.key > > # Diffie hellman parameters. > > dh dh2048.pem > > > > I guess I can use the > > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" > > command to generate the server.crt and private.key and I know where to > find > > ca.crt however: > > Unless there are other requirements on the contents of the certificate, > I'd expect that to work. >
ipa service-add-host --hosts ipa.domain.de client/ andrews-macbook-air.local.domain.de ipa-getcert request -f /var/lib/certmonger/requests/Andrews-MacBook-Air.local.crt -k /var/lib/certmonger/requests/Andrews-MacBook-Air.local.key -N CN= andrews-macbook-air.local.domain.de -D andrews-macbook-air.local.domain.de -K client/andrews-macbook-air.local.domain...@domain.de -- Then shuffle the keys and certs around -- -- Restart OpenVPN -- And et voila! It works! Although it does feel a bit hacky :) The GUI has some weird advice that did not make much sense when I did: Actions -> New Certificate: Issue New Certificate for Host andrews-macbook-air.local.domain.de Create a certificate database or use an existing one. To create a new database: # certutil -N -d <database path> Create a CSR with subject CN=<hostname>,O=<realm>, for example: # certutil -R -d <database path> -a -g <key size> -s 'CN= andrews-macbook-air.local.otternetworks.de,O=OTTERNETWORKS.DE' Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below: > > I see mention in the docs of optionally requiring that a peer > certificate include a particular value in its nsCertType extension > (support for that's not currently planned AFAIK), or a particular value > in its extendedKeyUsage (EKU) extension (there's a ticket [1] for > supporting that), but you're not setting such a requirement above. > > > - How about the Diffie hellman parameters? > > - Is dh2048.pem just a bunch of shared primes that enable the two parties > > to establish encryption together? > > Yes to both. I'm going by the PKI section of the howto [2] and the man > page here. > > > - Is it bad If this file is compromised? > > The howto and man pages say it's not required to be kept secret, and the > secrecy of a key that's generated using DH key agreement doesn't depend > on the parameters being kept secret, so I'd say no. > > HTH, > > Nalin > > [1] https://fedorahosted.org/freeipa/ticket/2915 > [2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project