David Kupka wrote:
On 24/10/16 19:26, Gilbert Wilson wrote:


On Oct 24, 2016, at 5:51 AM, David Kupka <dku...@redhat.com> wrote:

On 22/10/16 00:15, Gilbert Wilson wrote:
We have a lot of FreeBSD systems that I would like to streamline
certificate issuance and renewal. Ideally, we could leverage our
FreeIPA system's CA to do this. But, certmonger doesn't run on
FreeBSD (or does it?). What other means have other people tried, or
would you recommend investigating, to enable automated certificate
issuance and renewal for FreeBSD FreeIPA clients?

Any pointers are appreciated!

Gil


Hello Gil!

I've very limited experiences with *BSD systems so the question may
be completely off.
Have you tried to install and run certmonger using FreeBSD's Linux
Binary Compatibility [1]? Though I don't know what are the
limitations or possible issues it could be a way.

[1] http://www.freebsd.cz/doc/handbook/linuxemu.html

--
David Kupka


You know… I haven’t ever tried LBC! I suppose it’s worth a sacrificial
virtual machine to see if it works. It also occurred to me that
FreeIPA might have some sort of API given the web interface, and sure
enough that made the Google-fu turn up more useful results.

*
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
*
https://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/

*
http://www.admin-magazine.com/Archive/2016/34/A-REST-interface-for-FreeIPA


There doesn’t appear to be a manual for the API but those examples
seem to “show the way”. My initial thought is to create a script that
uses kinit with a keytab to authenticate against FreeIPA and then
create/renew permissible certificates for the system before they
expire. This seems reasonable since the certificate creation/renewal
is the scope of what I’m interested in doing. Do you see any reason
not to do it this way or have any other alternative suggestions?
Another way to think about it, perhaps, is what would you do on a
Linux system if you didn’t have access to the FreeIPA client or
certmonger?

Thanks for the pointer/reminder about LBC!

Gil




You're right, FreeIPA has JSON RPC API. It's used in WebUI and also in
'ipa' CLI. If you've FreeIPA server 4.2 and above there's API Browser in
WebUI (IPA Server - API Browser). There you can find all commands and
their parameters.
Just obligatory disclaimer, talking directly to the API is not
officially supported. This means that the API can change in future
versions.

Good luck!

And this is sort of reinventing the wheel. certmonger uses the API already.

Have you tried building certmonger on BSD? It should be pretty portable C code, it just might require installing additional dependencies like libcurl (with GSSAPI support) and probably a few others.

You'd also need to manually configure Kerberos, get a keytab for it and create a basic /etc/ipa/default.conf.

rob
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to