On Mon, Jun 01, 2015 at 05:19:20PM +0300, Alexander Bokovoy wrote: > On Mon, 01 Jun 2015, Thibaut Pouzet wrote: > >Hi, > > > >I am currently trying to use FreeIPA to issue client certificates for > >some internal application we have. (More precisely, SSL double > >authentication between two of my applications, client side would be > >java, server-side would be apache httpd.) I considered two options : > > > >1. Issue client certificates directly from FreeIPA : It do not seems > >that it's currently "supported". I can actually generate a client > >certificate by creating a new principal for a host, and use ipa-getcert > >to generate a certificate for it. However, this certificate is valid for > >both user and server authentication, and I cannot change it. > >Furthermore, I cannot change the CN of the certificate, it is the > >server's hostname for which the pincipal has been generated. That's a > >poor solution. > > > > > >2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to > >do whatever I want to do. I tried to use the dogtag profiles with the > >ipa-getcert -T option, but the profiles were ignored when I tried to use > >them. And I always got 'regular' certificates. > > > >I did some research, and found this RFE : > >http://www.freeipa.org/page/V4/Sub-CAs > > > >And this Sub-CA notions seems to be perfect for what I want to do. When > >I'm looking at the ticket, it seems that it is quietly sleeping > >somewhere, remaining not updated. > > > >I would love to see this feature in FreeIPA v4.2, has anyone a status on > >this RFE and it's current status ? > > Hi Thibaut,
I'm working on user certificates, profiles and sub-CAs. User certificates and custom profiles are a near-certainty to make 4.2. Sub-CAs will not make it into the alpha; hopefully I can finish the feature and squeeze it into 4.2 but it's a possibility that sub-CAs will arrive in a follow-up release. Would you be willing to help test all these features and provide feedback? I will soon be preparing a COPR with test builds so if you would like to help in this way, I can help you get set up to do this. I (we) would really appreciate your feedback. Cheers, Fraser > Design page is there, the work happens on freeipa-devel@. There are > multiple patches in the review process right now. If you are willing to > help with testing them, welcome to the development list. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
