Keystone needs signing certificates for Signing PKI tokens.
In addition, CERN has a developed an approach that allows user to
authenticate to Keystone via X509 for batch jobs. This requires Client
Both of these use cases are easily supported by Dogtag, but not exposed
via FreeIPA yet.
The easiest path forward is to open up direct access to the Dogtag REST
In this case, the work flow would be:
User sends CSR to Dogtag
User fetches signed certificate
User uploads to IPA
The questions I have relate to Dogtag/IPA integration:
All actions to Dogtag shuld be via mod_nss secured with Kerberos.
Does this tie in with Dogtag, or would Dogtag require Client Side
Even with Kerberos authentication, there is still no cross reference
between the Kerberos Principal and the CSR Subject. Is this a problem?
I thought there was a custom Tomcat Realm for integrating with
Kerberos. If so, does this expose the correct data to check the Subject
in the CSR?
Are there security implications in the user uploading their own
certifcates to FreeIPA's LDAP?
Can we re-enable the Dogtag XSRF checking without breaking IPA?
Does it make sense to have an extension to ipa-server-install that
specifies a Keystone user that becomes a Dogtag agent, or a comparable
commandline tool of the ipa-* family?
If we expose an URL for CSRs, that exposes the potential to request CSRs
of any set of attributes. The Agent would need to be careful not to
sign in appropriate requests. Is there any support for limiting the
types of Requests that would be acceptable?
Freeipa-devel mailing list