On Mon, 01 Jun 2015, Thibaut Pouzet wrote:
I am currently trying to use FreeIPA to issue client certificates for
some internal application we have. (More precisely, SSL double
authentication between two of my applications, client side would be
java, server-side would be apache httpd.) I considered two options :
1. Issue client certificates directly from FreeIPA : It do not seems
that it's currently "supported". I can actually generate a client
certificate by creating a new principal for a host, and use ipa-getcert
to generate a certificate for it. However, this certificate is valid for
both user and server authentication, and I cannot change it.
Furthermore, I cannot change the CN of the certificate, it is the
server's hostname for which the pincipal has been generated. That's a
2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to
do whatever I want to do. I tried to use the dogtag profiles with the
ipa-getcert -T option, but the profiles were ignored when I tried to use
them. And I always got 'regular' certificates.
I did some research, and found this RFE :
And this Sub-CA notions seems to be perfect for what I want to do. When
I'm looking at the ticket, it seems that it is quietly sleeping
somewhere, remaining not updated.
I would love to see this feature in FreeIPA v4.2, has anyone a status on
this RFE and it's current status ?
Design page is there, the work happens on freeipa-devel@. There are
multiple patches in the review process right now. If you are willing to
help with testing them, welcome to the development list.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project