Re: [Freeipa-users] [Import existing CA Cert]
Hi Martin, thanks for your reply. On 09/23/2015 09:07 AM, Martin Kosek wrote: On 09/22/2015 12:41 PM, Michael Anderson wrote: Hi All, we're evaluation freeipa/dogtag as a pki management service and hoping to replace our existing menagerie of bash/openssl scripts. I'm trying to establish a migration path for our existing pki solution and have a few questions: Hi Michael, Before you continue with the project, please keep in mind that FreeIPA PKI capabilities are bound to the FreeIPA objects - i.e. users, hosts or services. It does not allow you to generate completely random certificates (at the moment). Does that mean that I can only generate certificates for hosts running the client software? What I'd really like to be able to do is automate Apache/Nginx SSL cert generation for our dev/continuous-delivery infrastructure. So I'd like to have two or three signing CA's for dev, staging and prod and automate CSR creation, signing and deployment. Is this feasible with freeipa? '* how can I import and use our existing CA signing cert? * can I import existing server certs and keys? Could you create FreeIPA server CA as subordinate CA to your current CA? To me, it seems the easiest way as I do not think we have some nice CLIs to inject existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they have an idea. More here: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructurell With my current project I'll be rebuilding a lot of stuff, so starting fresh with a new freeipa-generated signing cert won't be such a problem. That said, it seems to me that the ability to import and use an existing signing cert would lower the adoption threshold for new users. * I'm using Fedora22. When I install dogtag-pki, the user page for submitting csr's is available. But when I install the freeipa package, I get a 404 when attempting to access the page. Is this functionality available in freeipa? When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting and passing the certificates from/to user. I think the Dogtag UI should be still somehow accessible, but is not the supported way. FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or via certmonger (man ipa-getcert) component that even renews the certificate. BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI related capabilities than older versions, for beginning Certificate Profiles, which are a must if you do not want to use just single fixed cert profile. I'm using the version packaged with Fedora 22, 4.1.4 More here: http://www.freeipa.org/page/Releases/4.2.0 Martin -- -- Michael Anderson IT Services & Support elego Software Solutions GmbH Gustav-Meyer-Allee 25 Building 12.3 (BIG) room 227 13355 Berlin, Germany phone +49 30 23 45 86 96 michael.anderson at elegosoft.com fax +49 30 23 45 86 95 http://www.elegosoft.com Geschaeftsfuehrer: Olaf Wagner, Sitz Berlin Amtsgericht Berlin-Charlottenburg, HRB 77719, USt-IdNr: DE163214194 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [Import existing CA Cert]
On Wed, Sep 23, 2015 at 09:07:31AM +0200, Martin Kosek wrote: > On 09/22/2015 12:41 PM, Michael Anderson wrote: > > Hi All, > > > > we're evaluation freeipa/dogtag as a pki management service and hoping to > > replace our existing menagerie of bash/openssl scripts. I'm trying to > > establish > > a migration path for our existing pki solution and have a few questions: > > Hi Michael, > > Before you continue with the project, please keep in mind that FreeIPA PKI > capabilities are bound to the FreeIPA objects - i.e. users, hosts or services. > It does not allow you to generate completely random certificates (at the > moment). > > > * how can I import and use our existing CA signing cert? > > * can I import existing server certs and keys? > > Could you create FreeIPA server CA as subordinate CA to your current CA? To > me, > it seems the easiest way as I do not think we have some nice CLIs to inject > existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they > have an idea. > Indeed, there does not seem to be a supported way to do this but you are not the only one asking for it (another thread on freeipa-users today asks the same question). So it is worth filing a ticket if there is not one already. For a workaround, you could probably do it by overwriting a keypair in the nssdb in between step 1 and step 2 of ipa-server-install; it is a nasty hack and I have not tried it, but it is my only idea right now. > More here: > http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure > > > * I'm using Fedora22. When I install dogtag-pki, the user page for > > submitting > > csr's is available. But when I install the freeipa package, I get a 404 when > > attempting to access the page. Is this functionality available in freeipa? > > When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting > and passing the certificates from/to user. I think the Dogtag UI should be > still somehow accessible, but is not the supported way. > It should be accessible on ports 8080 / 8443, i.e. https://your.domain:8443/ca/ee/ca. The full power of Dogtag is available to you, but as stated it is not the supported way, and if FreeIPA itself does not solve your certifiate use cases, please make sure we know about them so we can determine whether we should support it in FreeIPA directly. Cheers, Fraser > FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or > via certmonger (man ipa-getcert) component that even renews the certificate. > > BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI > related capabilities than older versions, for beginning Certificate Profiles, > which are a must if you do not want to use just single fixed cert profile. > > More here: > http://www.freeipa.org/page/Releases/4.2.0 > > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [Import existing CA Cert]
On 09/22/2015 12:41 PM, Michael Anderson wrote: > Hi All, > > we're evaluation freeipa/dogtag as a pki management service and hoping to > replace our existing menagerie of bash/openssl scripts. I'm trying to > establish > a migration path for our existing pki solution and have a few questions: Hi Michael, Before you continue with the project, please keep in mind that FreeIPA PKI capabilities are bound to the FreeIPA objects - i.e. users, hosts or services. It does not allow you to generate completely random certificates (at the moment). > * how can I import and use our existing CA signing cert? > * can I import existing server certs and keys? Could you create FreeIPA server CA as subordinate CA to your current CA? To me, it seems the easiest way as I do not think we have some nice CLIs to inject existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they have an idea. More here: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure > * I'm using Fedora22. When I install dogtag-pki, the user page for submitting > csr's is available. But when I install the freeipa package, I get a 404 when > attempting to access the page. Is this functionality available in freeipa? When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting and passing the certificates from/to user. I think the Dogtag UI should be still somehow accessible, but is not the supported way. FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or via certmonger (man ipa-getcert) component that even renews the certificate. BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI related capabilities than older versions, for beginning Certificate Profiles, which are a must if you do not want to use just single fixed cert profile. More here: http://www.freeipa.org/page/Releases/4.2.0 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [Import existing CA Cert]
On 09/23/2015 10:05 AM, Michael Anderson wrote: > Hi Martin, > > thanks for your reply. > > On 09/23/2015 09:07 AM, Martin Kosek wrote: >> On 09/22/2015 12:41 PM, Michael Anderson wrote: >>> Hi All, >>> >>> we're evaluation freeipa/dogtag as a pki management service and hoping to >>> replace our existing menagerie of bash/openssl scripts. I'm trying to >>> establish >>> a migration path for our existing pki solution and have a few questions: >> Hi Michael, >> >> Before you continue with the project, please keep in mind that FreeIPA PKI >> capabilities are bound to the FreeIPA objects - i.e. users, hosts or >> services. >> It does not allow you to generate completely random certificates (at the >> moment). > > Does that mean that I can only generate certificates for hosts running the > client software? Well, you need at least the host object in FreeIPA, to be able to generate certificate for it. It does not need to be effectively used. > What I'd really like to be able to do is automate Apache/Nginx > SSL cert generation for our dev/continuous-delivery infrastructure. So I'd > like > to have two or three signing CA's for dev, staging and prod and automate CSR > creation, signing and deployment. Is this feasible with freeipa? So the requirement here is to have different Sub-CA for these environments? FreeIPA 4.2 cannot do Sub-CAs yet, this is work proposed for next release: https://fedorahosted.org/freeipa/ticket/4559 BTW, this is how you can request renewable certificates for HTTP with FreeIPA: http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger >>> '* how can I import and use our existing CA signing cert? >>> * can I import existing server certs and keys? >> Could you create FreeIPA server CA as subordinate CA to your current CA? To >> me, >> it seems the easiest way as I do not think we have some nice CLIs to inject >> existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they >> have an idea. >> >> More here: >> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructurell > > With my current project I'll be rebuilding a lot of stuff, so starting fresh > with a new freeipa-generated signing cert won't be such a problem. That said, > it seems to me that the ability to import and use an existing signing cert > would lower the adoption threshold for new users. My point was that if FreeIPA is a subordinate CA, it should be still trusted by your clients that would have already imported it's CA certificate. >>> * I'm using Fedora22. When I install dogtag-pki, the user page for >>> submitting >>> csr's is available. But when I install the freeipa package, I get a 404 when >>> attempting to access the page. Is this functionality available in freeipa? >> When PKI is configured as part of FreeIPA, FreeIPA takes control of >> requesting >> and passing the certificates from/to user. I think the Dogtag UI should be >> still somehow accessible, but is not the supported way. >> >> FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, >> or >> via certmonger (man ipa-getcert) component that even renews the certificate. >> >> BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more >> PKI >> related capabilities than older versions, for beginning Certificate Profiles, >> which are a must if you do not want to use just single fixed cert profile. > > I'm using the version packaged with Fedora 22, 4.1.4 Ok. If you want to try the new FreeIPA 4.2 with Certificate Profiles on Fedora 22, there should be a COPR repo also: https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/ >> More here: >> http://www.freeipa.org/page/Releases/4.2.0 >> >> Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] [Import existing CA Cert]
Hi All, we're evaluation freeipa/dogtag as a pki management service and hoping to replace our existing menagerie of bash/openssl scripts. I'm trying to establish a migration path for our existing pki solution and have a few questions: * how can I import and use our existing CA signing cert? * can I import existing server certs and keys? * I'm using Fedora22. When I install dogtag-pki, the user page for submitting csr's is available. But when I install the freeipa package, I get a 404 when attempting to access the page. Is this functionality available in freeipa? Thanks! Michael Anderson -- -- Michael Anderson IT Services & Support elego Software Solutions GmbH Gustav-Meyer-Allee 25 Building 12.3 (BIG) room 227 13355 Berlin, Germany phone +49 30 23 45 86 96 michael.anderson at elegosoft.com fax +49 30 23 45 86 95 http://www.elegosoft.com Geschaeftsfuehrer: Olaf Wagner, Sitz Berlin Amtsgericht Berlin-Charlottenburg, HRB 77719, USt-IdNr: DE163214194 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
