I, too, am very much in need of user certificates. If it is possible to setup an additional FreeIPA server to test this out, then I could help out in testing the feature. I obviously don't want to impact my production environment too much, but it is rather stagnant, so if I can backup the LDAP db every once in a while, that could work. Otherwise, I could possible find some time to set up another instance for testing. I definitely need this feature! Thank you so much for working on it.
Chris On Mon, Jun 1, 2015 at 6:34 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Mon, Jun 01, 2015 at 05:19:20PM +0300, Alexander Bokovoy wrote: > > On Mon, 01 Jun 2015, Thibaut Pouzet wrote: > > >Hi, > > > > > >I am currently trying to use FreeIPA to issue client certificates for > > >some internal application we have. (More precisely, SSL double > > >authentication between two of my applications, client side would be > > >java, server-side would be apache httpd.) I considered two options : > > > > > >1. Issue client certificates directly from FreeIPA : It do not seems > > >that it's currently "supported". I can actually generate a client > > >certificate by creating a new principal for a host, and use ipa-getcert > > >to generate a certificate for it. However, this certificate is valid for > > >both user and server authentication, and I cannot change it. > > >Furthermore, I cannot change the CN of the certificate, it is the > > >server's hostname for which the pincipal has been generated. That's a > > >poor solution. > > > > > > > > >2. Issue a Sub-CA signed by the IPA CA, that I would use with openssl to > > >do whatever I want to do. I tried to use the dogtag profiles with the > > >ipa-getcert -T option, but the profiles were ignored when I tried to use > > >them. And I always got 'regular' certificates. > > > > > >I did some research, and found this RFE : > > >http://www.freeipa.org/page/V4/Sub-CAs > > > > > >And this Sub-CA notions seems to be perfect for what I want to do. When > > >I'm looking at the ticket, it seems that it is quietly sleeping > > >somewhere, remaining not updated. > > > > > >I would love to see this feature in FreeIPA v4.2, has anyone a status on > > >this RFE and it's current status ? > > > > Hi Thibaut, > > I'm working on user certificates, profiles and sub-CAs. User > certificates and custom profiles are a near-certainty to make 4.2. > Sub-CAs will not make it into the alpha; hopefully I can finish the > feature and squeeze it into 4.2 but it's a possibility that sub-CAs > will arrive in a follow-up release. > > Would you be willing to help test all these features and provide > feedback? I will soon be preparing a COPR with test builds so if > you would like to help in this way, I can help you get set up to do > this. I (we) would really appreciate your feedback. > > Cheers, > Fraser > > > > Design page is there, the work happens on freeipa-devel@. There are > > multiple patches in the review process right now. If you are willing to > > help with testing them, welcome to the development list. > > > > -- > > / Alexander Bokovoy > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project