On Mon, Jun 01, 2015 at 05:19:20PM +0300, Alexander Bokovoy wrote:
> On Mon, 01 Jun 2015, Thibaut Pouzet wrote:
> >I am currently trying to use FreeIPA to issue client certificates for
> >some internal application we have. (More precisely, SSL double
> >authentication between two of my applications, client side would be
> >java, server-side would be apache httpd.) I considered two options :
> >1. Issue client certificates directly from FreeIPA : It do not seems
> >that it's currently "supported". I can actually generate a client
> >certificate by creating a new principal for a host, and use ipa-getcert
> >to generate a certificate for it. However, this certificate is valid for
> >both user and server authentication, and I cannot change it.
> >Furthermore, I cannot change the CN of the certificate, it is the
> >server's hostname for which the pincipal has been generated. That's a
> >poor solution.
> >2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to
> >do whatever I want to do. I tried to use the dogtag profiles with the
> >ipa-getcert -T option, but the profiles were ignored when I tried to use
> >them. And I always got 'regular' certificates.
> >I did some research, and found this RFE :
> >And this Sub-CA notions seems to be perfect for what I want to do. When
> >I'm looking at the ticket, it seems that it is quietly sleeping
> >somewhere, remaining not updated.
> >I would love to see this feature in FreeIPA v4.2, has anyone a status on
> >this RFE and it's current status ?
I'm working on user certificates, profiles and sub-CAs. User
certificates and custom profiles are a near-certainty to make 4.2.
Sub-CAs will not make it into the alpha; hopefully I can finish the
feature and squeeze it into 4.2 but it's a possibility that sub-CAs
will arrive in a follow-up release.
Would you be willing to help test all these features and provide
feedback? I will soon be preparing a COPR with test builds so if
you would like to help in this way, I can help you get set up to do
this. I (we) would really appreciate your feedback.
> Design page is there, the work happens on freeipa-devel@. There are
> multiple patches in the review process right now. If you are willing to
> help with testing them, welcome to the development list.
> / Alexander Bokovoy
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project