I touched on this a little in IRC, figured I'd move it to the list for a fuller conversation.

I'm in the process of adding access controls to machines requesting certificates for themselves.

Let me first show what happens when a certificate request occurs:

- Some authenticated entity generates a CSR and submits a request. This request consists of a service principal name and the CSR - If the hostname of the CSR matches the hostname of the requestor it is passed to the CA (optionally an entity may be granted to issue certs for any host)
- the CA automatically issues a certificate and returns the cert blob
- If the service already exists, the cert blob is added to the entry
- If not and it was requested, a service record is created for the service principal
- Finally the cert text is returned to the client

So a couple of things here:

- Do we want any machine to be able to generate certificates for itself? Steve was a bit nervous about this. - If not, do we want a group to specify which machines can do requests? Could get cumbersome to manage at some point but otherwise it would be a manual process to say "Steve's laptop can't request certs". - machines will need permission to write service entries. Do we want to grant this access to all machines? I might need some help from the 389 team to write an ACI that lets us control machines only writing service principals for themselves. I'd essentially need to pull out the hostname part of the krbprincipalname and somehow use that to limit write access to host/hostn...@realm. I can do it in code but then someone could do an ldapmodify to add a service and go around our XML-RPC interface (very naughty).


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-devel mailing list

Reply via email to