On 2022-11-17 11:12, Alexander Bokovoy via FreeIPA-users wrote:
On to, 17 marras 2022, Francis Augusto Medeiros-Logeay wrote:
On 17 Nov 2022, at 10:15, Alexander Bokovoy <[email protected]>
wrote:
On to, 17 marras 2022, Francis Augusto Medeiros-Logeay via
FreeIPA-users wrote:
Hi,
I try to find good documentation on SCEP and FreeIPA, but I cannot
find something that seems updated nor conclusive.
Does FreeIPA support SCEP out of the box, or does it need some
hacking to do so?
And does it support other types of certificate enrolment besides its
own api/client?
Thanks a lot for a very explanatory answer as usual, Alexander.
It really depends on what you are asking for: FreeIPA as an
integrated
CA or FreeIPA as a consumer of some other CA.
I was thinking more as FreeIPA and its own CA.
As a consumer of some other CAs, certmonger supports requesting
certificates through SCEP. See certmonger-scep-submit(8) man page and
/usr/share/doc/certmonger/scep.txt for details.
FreeIPA integrated CA does not support SCEP itself. Well, Dogtag PKI
does have support for SCEP responder but it is not configured by
default
and is not supported in IPA frontend that does verification of the
request.
Yes, I guess that this is what some of the documents I’ve seen around
say.
FreeIPA integrated CA supports ACME protocol (same as Let's Encrypt).
Would using ACME be a better option?
I was thinking of trying to use FreeIPA with some MDM solutions, and
the one I am trying (Workspace ONE) does not support ACME,
unfortunately.
I can only suggest to look at Dogtag's documentation and practical
examples. Dogtag PKI's CI system has a SCEP scenario with a core
configuration defined here:
https://github.com/dogtagpki/pki/blob/master/.github/workflows/scep-test.yml#L79-L90
This test configuration allows SCEP client from the 'client' system
(running in a separate container but that is an implementation detail),
more details available in
https://github.com/dogtagpki/pki/wiki/Configuring-SCEP-Responder
Since access to integrated CA is proxied via IPA's httpd instance,
you'd
also need to add one more PKI proxy rule in
/etc/httpd/conf.d/ipa-pki-proxy.conf. The required URL path is shown
the
test and that wiki page.
Something like
# matches for SCEP API of CA
<LocationMatch "^/ca/cgi-bin/pkiclient.exe">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire
+OptRenegotiate
SSLVerifyClient optional
ProxyPassMatch ajp://localhost:8009
secret=---copy-value-from-the-other-LocationMatch-entries
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
Thanks a lot! I will check the docs a bit closer.
Best,
Francis
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
