On 02/23/2012 04:18 PM, Nalin Dahyabhai wrote:
> On Wed, Feb 22, 2012 at 02:57:03PM -0900, Erinn Looney-Triggs wrote:
>> It looks like, as far as I can tell, the IPA pki setup does not by
>> default include subjectKeyIdentifier in the SSL certificates issued. I
>> am using ipa-getcert -f foo -k bar, to generate and submit the request.
>>
>> I am a little hazy about how all of this fits together at this point, so
>> please forgive me. However, it looks like the RFC states that the CA
>> SHOULD be included with all end certificates:
>> https://www.ietf.org/rfc/rfc3280.txt (Page 27). So it is fine that it is
>> not included, but is there a way to modify IPA so that it does?
> 
> While certmonger doesn't currently add a subjectKeyIdentifier value to
> the list of requested extensions which it includes in signing requests,
> I guess it could, but you're right in thinking that it's more important
> to get the CA to do it -- the CA can (and almost always should) ignore
> anything we put in the signing request anyway.  And Dogtag is flexible
> enough that we can do that without the rest of IPA being any the wiser.
> 
>> I assume this is all part of dogtag and it's operations, and it looks
>> like from my research it should be possible in dogtag, but how IPA and
>> dogtag work together etc. well I just don't know enough.
> 
> The short version is that certmonger uses XML-RPC to talk to the IPA
> server, which then turns around and talks to the Dogtag instance running
> on the same server (using an HTTP-based protocol that looks a lot like
> XML-RPC), asking it to issue certificates using Dogtag's
> "caIPAserviceCert" profile.
> 
> The profile, in turn, specifies to Dogtag what requirements a client
> which asks it to issue a certificate using that profile should meet
> (i.e., that it needs to authenticate using the a certificate and key
> that belongs to a registration agent, like IPA's) and what to put into
> any certificates that issues using that profile.  As you've noticed,
> that currently doesn't include a subjectKeyIdentifier extension.
> 
> The profile itself is just a configuration file, and while its syntax is
> very flexible, based on what I have here, I'd suggest stopping your CA
> and adding this to /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg:
> 
>   policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
>   policyset.serverCertSet.10.constraint.name=No Constraint
>   
> policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
>   policyset.serverCertSet.10.default.name=Subject Key Identifier Extension 
> Default
>   policyset.serverCertSet.10.default.params.critical=false
> 
> The "10" doesn't have to be "10", exactly.  Any identifier should do, so
> long as it's not already being used.  Then append that identifier to the
> "policyset.serverCertSet.list" value so that the server components will
> find it.  I changed mine from this:
> 
>   policyset.serverCertSet.list=1,2,3,4,5,6,7,8
> 
> to this:
> 
>   policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10
> 
> Then restart the CA (or all of the IPA services, if it's easier), and
> from the client, use "ipa-getcert resubmit" to get certmonger to
> re-submit the signing requests for the certificates in question.  IPA
> will ask Dogtag to issue new certificates, and those new certificates
> should contain the subjectKeyIdentifier extension.
> 
> That all works when I try it here.
> 
> And since it's a SHOULD in the spec, it'd probably make for a decent
> enhancement request to have the profile include that by default.
> 
> HTH,
> 
> Nalin

Nalin,

Brilliant, absolutely brilliant. Thanks for putting some of the pieces
together for me, it is much appreciated. As well, the config worked out
perfectly.

I will put in a BZ request for this to be in the default template.

-Erinn

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to