On Tue, Mar 13, 2018 at 07:41:32PM -0500, Jonathan Vaughn via FreeIPA-users 
wrote:
> Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and custom
> built things that manage our PKI and so on, to FreeIPA (which looks like it
> can probably cover all our needs), and had a couple of SSL related
> questions.
> 
> 1) It looks like improvements are proposed for being able to generate
> certificates from the web UI :
> https://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation#FreeIPA_Web_UI
> 
> Does anyone know the status of such plans? I see some work was done over
> the past year but I haven't been able to find anything obviously related to
> adding such ability to the web UI. Having to use the command line tools is
> not the end of the world, but being able to do it from the web UI would
> make things easier sometimes ... I tried installing the latest release in a
> Fedora VM but didn't see any way to generate the CSR itself from the Web UI.
> 
On hold.  It would not help much in your use case anyway; it is
useful for browser enrolment but for non-browser use cases like
OpenVPN the key will have to extracted from the browser, and CLI
tools used to prepare the key and certificate for use with OpenVPN.

> 2) What is the correct / recommended way to issue certificates to users for
> use with OpenVPN? We would have both site to site VPNs which I assume would
> be issued similar to a regular service/web server SSL certificate, as well
> as certificates for individual users. Do we add the users
> laptops/workstations as hosts in FreeIPA and then issue regular certs for
> them that way, or is there a way to issue a cert for a user and tie it to
> their identity (versus their laptop/workstation 's identity) ? Also, is
> there a specific certificate 'profile' that should be used?
> 
The steps are::

  # 1. export caIPAserviceCert configuration
  ipa certprofile-show --out openvpn-client.cfg caIPAserviceCert

  # 2. edit the profile configuration. remove `1.3.6.1.5.5.7.3.1'
  #    from the exKeyUsageOIDs config.  Change the profile name
  #    to (for example) openvpn_client
  $EDITOR openvpn-client.cfg

  # 3. import the new profile
  ipa certprofile-import openvpn-client --file openvpn-client.cfg \
        --store=1 --desc="OpenVPN client certificates"

  # 4 (optional) create a sub-CA for openvpn authentication.
  #   Set the subject name to whatever you actually want.
  ipa ca-add openvpn --subject 'CN=OpenVPN CA, O=YOUR.DOMAIN'

  # 5. Add a CA ACL to allow issuance of certificates to users using
  #    the new profile and a particular CA
  ipa caacl-add users_openvpn --usercat=all
  ipa caacl-add-profile --certprofile openvpn_client
  ipa caacl-add-ca users_openvpn --ca openvpn

For caacl-add-ca use `--ca ipa' if you didn't add an
OpenVPN-specific CA at step 4.

Then you can issue OpenVPN client certificates to users.  Configure
OpenVPN to trust the issuer certificate and you're good to go.

HTH,
Fraser



> Thanks in advance

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to