Would anyone happen to have any guides on how one could get through this
process? I'm a one-man IT shop at the moment, so I'm building up a
tremendous amount of infrastructure at once. I'm thinking that the option
of creating a subCA with something simple like openssl would be the best
option, but figuring out that process in a minimal amount of time is going
to be tough.
I'm going to try and give myself some reading assignments and push that
forward, but if anyone happens to have a good handle on that
process/commands/etc. and would be interesting in double a couple of hours
of consulting to me, I would be very interested in listening provided we
could come up with a reasonable rate/timeframe. If anyone is interested,
please contact me directly off-list.
Thanks again. These answers/ideas have been most helpful.
On Fri, Feb 6, 2015 at 9:30 AM, Martin Kosek <mko...@redhat.com> wrote:
> On 02/06/2015 12:53 AM, Christopher Young wrote:
> > Obvious next question: Any plans to implement that functionality or
> > on how one might get some level of functionality for this? Would it be
> > possible to create another command-line based openssl CA that could issue
> > these but using IPA as the root CA for those?
> As for FreeIPA plans, we plan to vastly improve our flexibility to process
> certificates in next upstream version - FreeIPA 4.2. In next version, one
> should be able to create other certificate profiles (from FreeIPA default
> service cert profile) or even subCAs to do what you want.
> As for current workarounds, you would have to issue and sign a for example
> or openssl based subCA and then sign user certs there. But I would leave
> or Jan to tell if this would be really possible.
> > I'm just trying to provide a solution for situations where we would like
> > utilize client/user cert authentication for situations like secure apache
> > directory access as well as user VPN certificates. Any advise or ideas
> > great appreciated.
> > Thanks again!
> > On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden <rcrit...@redhat.com>
> >> Christopher Young wrote:
> >>> Some of this might be rudimentary, so I apologize if this is answered
> >>> somewhere, though I've tried to search and have not had much luck...
> >>> Basically, I would like to be able to issue user certificates
> >>> email@example.com) in order to use client SSL security on
> >>> some things. I'm very new to FreeIPA, but have worked with external
> >>> in the past for similar requests, however this is my first entry into
> >>> creating/running a localized CA within an organization.
> >> IPA doesn't issue user certificates yet, only server certificates.
> >>> I was wondering if this is possible via the command line, and if so,
> >>> to go about submitting the request and receiving the certificate. Any
> >>> guidance or assistance would be greatly appreciated!
> >>> Additionally, just as a matter of cleanliness, is there any way
> >>> to just completely wipe out the existence of a certificate/request from
> >>> FreeIPA. I have done some trial-and-error and obviously have made
> >>> mistakes that I'd prefer to clean up after. I've revoked those certs,
> >>> however the perfectionist in me hates seeing them there. I'm quite
> >>> certain the answer is 'no', but I thought I would ask anyway.
> >> Right, the answer is no. In fact it is a good thing that all
> >> certificates are accounted for.
> >> rob
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project