On Fri, Feb 06, 2015 at 03:30:34PM +0100, Martin Kosek wrote:
> On 02/06/2015 12:53 AM, Christopher Young wrote:
> > Obvious next question:  Any plans to implement that functionality or advice
> > on how one might get some level of functionality for this?  Would it be
> > possible to create another command-line based openssl CA that could issue
> > these but using IPA as the root CA for those?
> As for FreeIPA plans, we plan to vastly improve our flexibility to process
> certificates in next upstream version - FreeIPA 4.2. In next version, one
> should be able to create other certificate profiles (from FreeIPA default
> service cert profile) or even subCAs to do what you want.
> As for current workarounds, you would have to issue and sign a for example NSS
> or openssl based subCA and then sign user certs there. But I would leave 
> Fraser
> or Jan to tell if this would be really possible.
Christopher, until profiles and subCAs are available in FreeIPA your
options are:

- Issue client certificates from the existing Dogtag CA, by using an
  appropriate profile and including the relevant information in the
  certificate request.  Client certificates would be issued from the
  same CA as service certificates (but would have different keyUsage
  attributes, etc).

- Same as above, but spawn a subordinate Dogtag CA instance for
  issuing the client certificates.

- (Martin's suggestion:) Issue a subordinate signing certificate
  from the Dogtag CA and use OpenSSL or other CA software to issue
  client certificates.

The first option is the easiest but would not be considered good
practice because certificates intended for different client uses
(e.g. web, VPN) should be issued from different CAs.  But the latter
options are "heavyweight".

Hope that helps,

> > I'm just trying to provide a solution for situations where we would like to
> > utilize client/user cert authentication for situations like secure apache
> > directory access as well as user VPN certificates.  Any advise or ideas are
> > great appreciated.
> > 
> > Thanks again!
> > 
> > On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> > 
> >> Christopher Young wrote:
> >>> Some of this might be rudimentary, so I apologize if this is answered
> >>> somewhere, though I've tried to search and have not had much luck...
> >>>
> >>> Basically,  I would like to be able to issue user certificates (Subject:
> >>> email=sblblabla@blabla.local) in order to use client SSL security on
> >>> some things.  I'm very new to FreeIPA, but have worked with external CAs
> >>> in the past for similar requests, however this is my first entry into
> >>> creating/running a localized CA within an organization.
> >>
> >> IPA doesn't issue user certificates yet, only server certificates.
> >>
> >>> I was wondering if this is possible via the command line, and if so, how
> >>> to go about submitting the request and receiving the certificate.  Any
> >>> guidance or assistance would be greatly appreciated!
> >>>
> >>>
> >>> Additionally, just as a matter of cleanliness, is there any way possible
> >>> to just completely wipe out the existence of a certificate/request from
> >>> FreeIPA.  I have done some trial-and-error and obviously have made
> >>> mistakes that I'd prefer to clean up after.  I've revoked those certs,
> >>> however the perfectionist in me hates seeing them there.  I'm quite
> >>> certain the answer is 'no', but I thought I would ask anyway.
> >>
> >> Right, the answer is no. In fact it is a good thing that all
> >> certificates are accounted for.
> >>
> >> rob
> >>
> >>
> > 
> > 
> > 

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to