On 02/06/2015 12:53 AM, Christopher Young wrote:
> Obvious next question:  Any plans to implement that functionality or advice
> on how one might get some level of functionality for this?  Would it be
> possible to create another command-line based openssl CA that could issue
> these but using IPA as the root CA for those?

As for FreeIPA plans, we plan to vastly improve our flexibility to process
certificates in next upstream version - FreeIPA 4.2. In next version, one
should be able to create other certificate profiles (from FreeIPA default
service cert profile) or even subCAs to do what you want.

As for current workarounds, you would have to issue and sign a for example NSS
or openssl based subCA and then sign user certs there. But I would leave Fraser
or Jan to tell if this would be really possible.

> I'm just trying to provide a solution for situations where we would like to
> utilize client/user cert authentication for situations like secure apache
> directory access as well as user VPN certificates.  Any advise or ideas are
> great appreciated.
> Thanks again!
> On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>> Christopher Young wrote:
>>> Some of this might be rudimentary, so I apologize if this is answered
>>> somewhere, though I've tried to search and have not had much luck...
>>> Basically,  I would like to be able to issue user certificates (Subject:
>>> email=sblblabla@blabla.local) in order to use client SSL security on
>>> some things.  I'm very new to FreeIPA, but have worked with external CAs
>>> in the past for similar requests, however this is my first entry into
>>> creating/running a localized CA within an organization.
>> IPA doesn't issue user certificates yet, only server certificates.
>>> I was wondering if this is possible via the command line, and if so, how
>>> to go about submitting the request and receiving the certificate.  Any
>>> guidance or assistance would be greatly appreciated!
>>> Additionally, just as a matter of cleanliness, is there any way possible
>>> to just completely wipe out the existence of a certificate/request from
>>> FreeIPA.  I have done some trial-and-error and obviously have made
>>> mistakes that I'd prefer to clean up after.  I've revoked those certs,
>>> however the perfectionist in me hates seeing them there.  I'm quite
>>> certain the answer is 'no', but I thought I would ask anyway.
>> Right, the answer is no. In fact it is a good thing that all
>> certificates are accounted for.
>> rob

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to