On Tue, Mar 13, 2018 at 07:41:32PM -0500, Jonathan Vaughn via FreeIPA-users
> Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and custom
> built things that manage our PKI and so on, to FreeIPA (which looks like it
> can probably cover all our needs), and had a couple of SSL related
> 1) It looks like improvements are proposed for being able to generate
> certificates from the web UI :
> Does anyone know the status of such plans? I see some work was done over
> the past year but I haven't been able to find anything obviously related to
> adding such ability to the web UI. Having to use the command line tools is
> not the end of the world, but being able to do it from the web UI would
> make things easier sometimes ... I tried installing the latest release in a
> Fedora VM but didn't see any way to generate the CSR itself from the Web UI.
On hold. It would not help much in your use case anyway; it is
useful for browser enrolment but for non-browser use cases like
OpenVPN the key will have to extracted from the browser, and CLI
tools used to prepare the key and certificate for use with OpenVPN.
> 2) What is the correct / recommended way to issue certificates to users for
> use with OpenVPN? We would have both site to site VPNs which I assume would
> be issued similar to a regular service/web server SSL certificate, as well
> as certificates for individual users. Do we add the users
> laptops/workstations as hosts in FreeIPA and then issue regular certs for
> them that way, or is there a way to issue a cert for a user and tie it to
> their identity (versus their laptop/workstation 's identity) ? Also, is
> there a specific certificate 'profile' that should be used?
The steps are::
# 1. export caIPAserviceCert configuration
ipa certprofile-show --out openvpn-client.cfg caIPAserviceCert
# 2. edit the profile configuration. remove `126.96.36.199.188.8.131.52.1'
# from the exKeyUsageOIDs config. Change the profile name
# to (for example) openvpn_client
# 3. import the new profile
ipa certprofile-import openvpn-client --file openvpn-client.cfg \
--store=1 --desc="OpenVPN client certificates"
# 4 (optional) create a sub-CA for openvpn authentication.
# Set the subject name to whatever you actually want.
ipa ca-add openvpn --subject 'CN=OpenVPN CA, O=YOUR.DOMAIN'
# 5. Add a CA ACL to allow issuance of certificates to users using
# the new profile and a particular CA
ipa caacl-add users_openvpn --usercat=all
ipa caacl-add-profile --certprofile openvpn_client
ipa caacl-add-ca users_openvpn --ca openvpn
For caacl-add-ca use `--ca ipa' if you didn't add an
OpenVPN-specific CA at step 4.
Then you can issue OpenVPN client certificates to users. Configure
OpenVPN to trust the issuer certificate and you're good to go.
> Thanks in advance
> FreeIPA-users mailing list -- email@example.com
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org