Am Fri, Jun 02, 2023 at 02:40:09AM +0200 schrieb Jernej Jakob via FreeIPA-users: > You would obtain the certificate via one of the supported methods that > generates the private key on the local machine first. The IPA CA would > just sign the CSR and send back the signed certificate. So you should > have the private key already. > > For documentation see: > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_certificates_in_idm/index > > You would need to set up a certificate profile correctly for what you > need to issue the certificate with the correct Subject and usage. > > This page has information on how to create a profile for S/MIME. > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_certificates_in_idm/creating-and-managing-certificate-profiles-in-identity-management_managing-certificates-in-idm > You might be able to use this certificate for other things too, by > setting the key usage for multiple things at once, but it must conform > to standards or it won't work. > > How you configure the client application to use the certificate depends > on which method you used to obtain it and where it's stored. > > For example, certmonger (in EL8+) can store it in PEM format files (in > EL7 it stored them in NSS database). > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_certificates_in_idm/using-certmonger_working-with-idm-certificates > > You either import them manually into your application or have your > application read the certificate through a wrapper. For example for > X509 certs there are PKCS11 modules that can read them from files or > from a smart card. > > Disclaimer: I have not tried these features so I can't say how exactly > to set them up, but I'm reading into them recently as I'm also setting > up my own FreeIPA for smart card login. I can however confirm that using > a certmonger-obtained and tracked certificate works for an Apache HTTP > server for several years now. > > On Thu, 1 Jun 2023 18:32:07 +0200 > Jelle de Jong via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > wrote: > > > On 6/1/23 15:18, Sumit Bose via FreeIPA-users wrote: > > > Am Thu, Jun 01, 2023 at 02:18:40PM +0200 schrieb Jelle de Jong via > > > FreeIPA-users: > > >> Hello everybody, > > >> > > >> I am looking for a way to digitally sign documents by end-users within an > > >> organisation. > > > > > > Hi, > > > > > > correct me if I'm wrong, but to my understanding the certificate is not > > > sufficient for a digital signature because this requires the private key > > > and the certificate will only contain the public key for others to > > > verify your signature. > > > > > > > I agree with you, I can not figure out where FreeIPA would store the > > users private key? > > > > However it does mention S/MIME signing support, and also not sure if > > these wiki pages are a draft of future features. > > > > https://www.freeipa.org/page/V4/User_Certificates#S.2FMIME_and_User_Signing_Certificates > > > > https://www.freeipa.org/page/V4/Sub-CAs > > > > https://www.freeipa.org/page/V4/Certificate_Profiles > > > > Does someone know if I can use FreeIPA as RootCA to and create new user > > private/public key pairs and store them in FreeIPA and retrieve them > > with SSSD?
Hi, how certificate-private key pairs can be created is described above by Jernej. FreeIPA and SSSD only allow to store the public part, i.e. the certificate, but not the private key because, as the name says, you want to keep it private and not share it on a central storage like FreeIPA. bye, Sumit > > > > >> > > >> I can add a certificate to every user with our IPA user-add-cert system. > > >> > > >> I can use SSSD clients to pull up te certificate. > > >> > > >> org.freedesktop.sssd.infopipe.Users.FindByCertificate > > >> > > >> Is there a way to integrate SSSD user certificates into the Mozilla > > >> Certificate Manager? > > >> > > >> https://www.freeipa.org/page/V4/User_Certificates > > >> > > >> https://help.libreoffice.org/6.1/he/text/shared/guide/digitalsign_send.html > > >> > > >> Has anybody otherwise done this with CAcert? or intergrate CAcert > > >> certificates into ipa user-add-cert? > > >> > > >> Kind regards, > > >> > > >> Jelle de Jong > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
