[Freeipa-users] Re: Host vs. service certificates
On ti, 04 joulu 2018, Rob Foehl via FreeIPA-users wrote: On Tue, 4 Dec 2018, Fraser Tweedale wrote: On Tue, Dec 04, 2018 at 01:49:04AM -0500, Rob Foehl via FreeIPA-users wrote: Is the service principal necessary just to satisfy this requirement? It is required, but you can use the host principal, i.e. "host/foo.example.com@YOUR.REALM". Ahhh, of course. Works fine, thanks! (For what it's worth, every reference I could find for ipa-getcert -K explicitly calls it a service principal, while the getcert-request(1) man page just says principal name. I also couldn't find an example of how to create a host certificate using ipa-getcert, only via the UI or at ipa-client-install time.) In Kerberos jargon 'service principal' is the one that is built with one or more components stitched together with '/'. First part is typically a service name, second is a hostname. There might be three-part service principals (used by Active Directory) but typically service/host@REALM is the way to express service principals. getcert-request(1) talks about a 'principal name' because it is not a certmonger which is considering the difference, KDC and CA are. FreeIPA framework makes sure whatever Kerberos principal is added into the certificate is validated to be allowed to be present there. Since client certificate can be used to authenticate in lieu of a Kerberos key, the principal specified in the certificate represents whose identity it impersonates. You certainly wouldn't expect a regular certificate to impersonate your 'admin' principal and gain ability to obtain a ticket granting ticket for 'admin'. See https://ssimo.org/blog/id_016.html for more details. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Host vs. service certificates
On Tue, 4 Dec 2018, Fraser Tweedale wrote: On Tue, Dec 04, 2018 at 01:49:04AM -0500, Rob Foehl via FreeIPA-users wrote: Is the service principal necessary just to satisfy this requirement? It is required, but you can use the host principal, i.e. "host/foo.example.com@YOUR.REALM". Ahhh, of course. Works fine, thanks! (For what it's worth, every reference I could find for ipa-getcert -K explicitly calls it a service principal, while the getcert-request(1) man page just says principal name. I also couldn't find an example of how to create a host certificate using ipa-getcert, only via the UI or at ipa-client-install time.) -Rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Host vs. service certificates
On Tue, Dec 04, 2018 at 01:49:04AM -0500, Rob Foehl via FreeIPA-users wrote: > On Tue, 4 Dec 2018, Fraser Tweedale wrote: > > > No significant differences for most use cases. If using only host > > principals works for you, go ahead. > > Probably should've tried it first... A request like this: > > ipa-getcert request -f cert -k key -D test.example.com -w > > fails with "The IPA backend requires the use of the -K option (principal > name) when the -N option (subject name) is used.", which appears to be > actually due to the use of -D to set subjectAltName. > > Is the service principal necessary just to satisfy this requirement? > It is required, but you can use the host principal, i.e. "host/foo.example.com@YOUR.REALM". Cheers, Fraser > -Rob > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Host vs. service certificates
On Tue, 4 Dec 2018, Fraser Tweedale wrote: No significant differences for most use cases. If using only host principals works for you, go ahead. Probably should've tried it first... A request like this: ipa-getcert request -f cert -k key -D test.example.com -w fails with "The IPA backend requires the use of the -K option (principal name) when the -N option (subject name) is used.", which appears to be actually due to the use of -D to set subjectAltName. Is the service principal necessary just to satisfy this requirement? -Rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Host vs. service certificates
On Mon, Dec 03, 2018 at 06:23:04PM -0500, Rob Foehl via FreeIPA-users wrote: > Are there any practical differences between IPA-issued certificates for > hosts and services (ipa-getcert -K service/hostname for the latter), if > they're only being used to identify the host in a non-Kerberos-aware TLS > context? > > I'd like to omit the service management if it's not useful in this case. > No significant differences for most use cases. If using only host principals works for you, go ahead. The main drawback is if you have a lot of different certs, it blows up the size of the host object in LDAP. (True of services too, but if you are using service principals you won't need so many certs on a single object). Cheers, Fraser > -Rob > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org