On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
Hello,

I would like to have authenticated users to upload a csr request and
have their certificate automatically signed. Their certificate would
expire in x days.

Given the short life of the certificate, I would then like them to be
able to easily download the certificate.

Any suggestion on how to do it?
I would prefer the shell script approach but also having it self
serviced on the web ui would be great.

Regards


--
Alessandro De Maria
alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com>



Hi Alessandro,

for FreeIPA 4.2+ you can use the following links as a guide to set up a custom profile and CA ACL rules so that users can request certificates for themselves:

http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/

The user then can generate CSR request e.g. using OpenSSL and use 'ipa cert-request' to send it to IPA CA. If you specify 'store=True' when adding the custom certificate profile, the certificate will be added to the user entry as 'usercertificate;binary' attribute which he can view from CLI/WebUI as PEM and save it to a file by copy-pasting it (The functionality to save the certificate directly to a file is under development).

It should be possible to modify the certificate profile to restrict the maximum validity of the issued certificate but I have no knowledge about that. I have CC'ed Fraser Tweedale (the blog post author), he may help you with this.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to