Bret Wortman wrote:



On 06/03/2016 11:02 AM, Rob Crittenden wrote:
Bret Wortman wrote:
I'm not sure I'd call what we have "success" just yet. ;-)

You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
see how we go.

Rob, would you have just used the existing "localhost.key" instead of
generating a new one?

No, I think you did the right thing, the default keysize was probably
still 1024 in F21. I double-checked the getcert-request man page and
it looks like it will use an existing key if one exists in the key
file passed in so I was wrong about that bit. You just didn't need to
use req to generate a CSR as certmonger will do that for you.

Good to know.

I tried the update-ca-trust on both the yum server and on my workstation
but nothing changed even after an httpd restart. I did take a peek
inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and
didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but
I confess I'm not sure what should be where at this point).

You'd only need to do this on the machine acting as a client.

I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and trusted?

$ certutil -L -d /etc/pki/nssdb

rob



Bret

rob



On 06/03/2016 09:48 AM, Rob Crittenden wrote:
Bret Wortman wrote:
So for our internal yum server, I created a new key and cert
request (it
had a localhost key and cert but I wanted to start clean):

    # openssl genrsa 2048 > /etc/pki/tls/private/server.key
    # openssl req -new -x509 -nodes -sha1 -days 365 -key
    /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt
    # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k
    /etc/pki/tls/private/server.key -r

I try not to argue with success but I'd be curious what is actually
going on here. You generate a CSR and call it a certificate. It is
probably the case that certmonger is ignoring it altogether and
generating its own CSR.

ipa-getcert list shows it approved. I set up SSL in apache to use the
above .key and .crt, but when I try to run yum against this using ssl:

    # yum search ffmpeg
    Loaded plugins: langpacks
https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml:


    [Errno 14] curl#60 - "Peer's certificate issuer has been marked as
    not trusted by the user."
    :

Is there a step I need to take on the clients so they'll accept this
cert as trusted? I thought having it be signed by the IPA CA would
have
taken care of that.

    # ls -l /etc/ipa/ca.crt
    -rw-r--r-- 1 root root 2546 Apr 28  2014 /etc/ipa/ca.crt
    #

Pretty much only IPA tools know to use this file.

My knowledge is a bit stale on adding the IPA CA to the global trust
but I'm pretty sure it is done automatically now and I think it was in
the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have
this code.

Look at this,
https://fedoraproject.org/wiki/Features/SharedSystemCertificates

The idea is to add the IPA CA to that and then all tools using SSL
would "just work".

Something like:

# cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
# update-ca-trust

You'd need to remember to manually undo this if you ever redo your IPA
install (and get a new CA):

# rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem
# update-ca-trust

Like I said, I'm pretty sure this is all automatic in some more recent
versions of IPA.

rob


---
Bret

On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote:
Cool. I'll give this a go in the morning.

Bret Wortman
http://wrapbuddies.co/

On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale <ftwee...@redhat.com>,
wrote:
On Thu, Jun 02, 2016 at 05:35:01PM -0400,
bret.wort...@damascusgrp.com wrote:
Sorry, let me back up a step. We need to implement hype
everywhere. All our web services. And clients need to get
keys&certs automatically whether through IPA or Puppet. These
systems use IPA for everything but authentication (to keep most
users off). I'm trying to wuss out the easiest way to make this
happen smoothly.

Hi Bret,

You can use the IPA CA to sign service certificates. See
http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.

IPA-enrolled machines already have the IPA certificate in their
trust store. If the clients are IPA-enrolled, everything should
Just Work, otherwise you can distribute the IPA CA certificate to
clients via Puppet** or whatever means you prefer.

** you will have to work out how, because I do not know Puppet :)

Cheers,
Fraser



On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcrit...@redhat.com>,
wrote:
Bret Wortman wrote:
Is it possible to use our freeipa CA as a trusted CA to sign our
internal SSL certificates? Our system runs on a private network
and so
using the usual trusted sources isn't an option. We've been using
self-signed, but that adds some additional complications and we
thought
this might be a good solution.

Is it possible, and, since most online guides defer to "submit
the CSR
to Verisign" or whomever, how would you go about producing one in
this way?

Not sure I understand the question. The IPA CA is also
self-signed. For
enrolled systems though at least the CA is pre-distributed so
maybe
that
will help.

rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project











--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to