Re: [Freeipa-users] User certificate workflow

2016-03-18 Thread Alessandro De Maria 
Fantastic thank you!
On 16 Mar 2016 12:21 a.m., "Fraser Tweedale"  wrote:

> On Tue, Mar 15, 2016 at 09:39:12AM +, Alessandro De Maria wrote:
> > Thank you Martin that's very helpful.
> >
> > The annoying thing about cut/paste from web ui is that the cert is not
> > wrapped at 60 chars like it should be, but I guess I'll have to wait for
> > the save certificate functionality.
> > Any idea of then that's planned for?
> >
> > Regards
> > Alessandro
> >
> Hi Alessandro,
>
> The easiest way to get the cert is with the `ipa user-show` (if
> it was saved to the IPA direct after issuance, which is controlled
> by the `store` option Martin mentioned). E.g.:
>
> ipa user-show alice --out=cert.pem
>
> Which will save alice's certificate(s) to the file `cert.pem`.
>
> If you copy the data from the web UI and save it to a file, the
> following will convert it to PEM:
>
> base64 -d < cert.txt | openssl x509 -inform DER > cert.pem
>
> Finally, to configure a profile to issue certificates with a
> validity of X days, the relevant profile configuration is:
>
> policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
> policyset.serverCertSet.2.constraint.name=Validity Constraint
> policyset.serverCertSet.2.constraint.params.range=740
> policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
> policyset.serverCertSet.2.constraint.params.notAfterCheck=false
> policyset.serverCertSet.2.default.class_id=validityDefaultImpl
> policyset.serverCertSet.2.default.name=Validity Default
> policyset.serverCertSet.2.default.params.range=X
> policyset.serverCertSet.2.default.params.startTime=0
>
> Replace `X` above with the desired lifetime in days.  (Note that the
> index (`2`, above) may be different for different profiles.)
>
> Cheers,
> Fraser
>
> > On 15 March 2016 at 08:50, Martin Babinsky  wrote:
> >
> > > On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
> > >
> > >> Hello,
> > >>
> > >> I would like to have authenticated users to upload a csr request and
> > >> have their certificate automatically signed. Their certificate would
> > >> expire in x days.
> > >>
> > >> Given the short life of the certificate, I would then like them to be
> > >> able to easily download the certificate.
> > >>
> > >> Any suggestion on how to do it?
> > >> I would prefer the shell script approach but also having it self
> > >> serviced on the web ui would be great.
> > >>
> > >> Regards
> > >>
> > >>
> > >> --
> > >> Alessandro De Maria
> > >> alessandro.dema...@gmail.com 
> > >>
> > >>
> > >>
> > > Hi Alessandro,
> > >
> > > for FreeIPA 4.2+ you can use the following links as a guide to set up a
> > > custom profile and CA ACL rules so that users can request certificates
> for
> > > themselves:
> > >
> > > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
> > >
> > >
> https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
> > >
> > > The user then can generate CSR request e.g. using OpenSSL and use 'ipa
> > > cert-request' to send it to IPA CA. If you specify 'store=True' when
> adding
> > > the custom certificate profile, the certificate will be added to the
> user
> > > entry as 'usercertificate;binary' attribute which he can view from
> > > CLI/WebUI as PEM and save it to a file by copy-pasting it (The
> > > functionality to save the certificate directly to a file is under
> > > development).
> > >
> > > It should be possible to modify the certificate profile to restrict the
> > > maximum validity of the issued certificate but I have no knowledge
> about
> > > that. I have CC'ed Fraser Tweedale (the blog post author), he may help
> you
> > > with this.
> > >
> > > --
> > > Martin^3 Babinsky
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
> >
> >
> >
> > --
> > Alessandro De Maria
> > alessandro.dema...@gmail.com
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Fraser Tweedale 
On Tue, Mar 15, 2016 at 09:39:12AM +, Alessandro De Maria wrote:
> Thank you Martin that's very helpful.
> 
> The annoying thing about cut/paste from web ui is that the cert is not
> wrapped at 60 chars like it should be, but I guess I'll have to wait for
> the save certificate functionality.
> Any idea of then that's planned for?
> 
> Regards
> Alessandro
> 
Hi Alessandro,

The easiest way to get the cert is with the `ipa user-show` (if
it was saved to the IPA direct after issuance, which is controlled
by the `store` option Martin mentioned). E.g.:

ipa user-show alice --out=cert.pem

Which will save alice's certificate(s) to the file `cert.pem`.

If you copy the data from the web UI and save it to a file, the
following will convert it to PEM:

base64 -d < cert.txt | openssl x509 -inform DER > cert.pem

Finally, to configure a profile to issue certificates with a
validity of X days, the relevant profile configuration is:

policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=X
policyset.serverCertSet.2.default.params.startTime=0

Replace `X` above with the desired lifetime in days.  (Note that the
index (`2`, above) may be different for different profiles.)

Cheers,
Fraser

> On 15 March 2016 at 08:50, Martin Babinsky  wrote:
> 
> > On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
> >
> >> Hello,
> >>
> >> I would like to have authenticated users to upload a csr request and
> >> have their certificate automatically signed. Their certificate would
> >> expire in x days.
> >>
> >> Given the short life of the certificate, I would then like them to be
> >> able to easily download the certificate.
> >>
> >> Any suggestion on how to do it?
> >> I would prefer the shell script approach but also having it self
> >> serviced on the web ui would be great.
> >>
> >> Regards
> >>
> >>
> >> --
> >> Alessandro De Maria
> >> alessandro.dema...@gmail.com 
> >>
> >>
> >>
> > Hi Alessandro,
> >
> > for FreeIPA 4.2+ you can use the following links as a guide to set up a
> > custom profile and CA ACL rules so that users can request certificates for
> > themselves:
> >
> > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
> >
> > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
> >
> > The user then can generate CSR request e.g. using OpenSSL and use 'ipa
> > cert-request' to send it to IPA CA. If you specify 'store=True' when adding
> > the custom certificate profile, the certificate will be added to the user
> > entry as 'usercertificate;binary' attribute which he can view from
> > CLI/WebUI as PEM and save it to a file by copy-pasting it (The
> > functionality to save the certificate directly to a file is under
> > development).
> >
> > It should be possible to modify the certificate profile to restrict the
> > maximum validity of the issued certificate but I have no knowledge about
> > that. I have CC'ed Fraser Tweedale (the blog post author), he may help you
> > with this.
> >
> > --
> > Martin^3 Babinsky
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> 
> 
> 
> -- 
> Alessandro De Maria
> alessandro.dema...@gmail.com

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Alessandro De Maria 
Thank you Martin that's very helpful.

The annoying thing about cut/paste from web ui is that the cert is not
wrapped at 60 chars like it should be, but I guess I'll have to wait for
the save certificate functionality.
Any idea of then that's planned for?

Regards
Alessandro

On 15 March 2016 at 08:50, Martin Babinsky  wrote:

> On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
>
>> Hello,
>>
>> I would like to have authenticated users to upload a csr request and
>> have their certificate automatically signed. Their certificate would
>> expire in x days.
>>
>> Given the short life of the certificate, I would then like them to be
>> able to easily download the certificate.
>>
>> Any suggestion on how to do it?
>> I would prefer the shell script approach but also having it self
>> serviced on the web ui would be great.
>>
>> Regards
>>
>>
>> --
>> Alessandro De Maria
>> alessandro.dema...@gmail.com 
>>
>>
>>
> Hi Alessandro,
>
> for FreeIPA 4.2+ you can use the following links as a guide to set up a
> custom profile and CA ACL rules so that users can request certificates for
> themselves:
>
> http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
>
> https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
>
> The user then can generate CSR request e.g. using OpenSSL and use 'ipa
> cert-request' to send it to IPA CA. If you specify 'store=True' when adding
> the custom certificate profile, the certificate will be added to the user
> entry as 'usercertificate;binary' attribute which he can view from
> CLI/WebUI as PEM and save it to a file by copy-pasting it (The
> functionality to save the certificate directly to a file is under
> development).
>
> It should be possible to modify the certificate profile to restrict the
> maximum validity of the issued certificate but I have no knowledge about
> that. I have CC'ed Fraser Tweedale (the blog post author), he may help you
> with this.
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Alessandro De Maria
alessandro.dema...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Martin Babinsky 

On 03/15/2016 08:39 AM, Alessandro De Maria wrote:

Hello,

I would like to have authenticated users to upload a csr request and
have their certificate automatically signed. Their certificate would
expire in x days.

Given the short life of the certificate, I would then like them to be
able to easily download the certificate.

Any suggestion on how to do it?
I would prefer the shell script approach but also having it self
serviced on the web ui would be great.

Regards


--
Alessandro De Maria
alessandro.dema...@gmail.com 




Hi Alessandro,

for FreeIPA 4.2+ you can use the following links as a guide to set up a 
custom profile and CA ACL rules so that users can request certificates 
for themselves:


http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/

The user then can generate CSR request e.g. using OpenSSL and use 'ipa 
cert-request' to send it to IPA CA. If you specify 'store=True' when 
adding the custom certificate profile, the certificate will be added to 
the user entry as 'usercertificate;binary' attribute which he can view 
from CLI/WebUI as PEM and save it to a file by copy-pasting it (The 
functionality to save the certificate directly to a file is under 
development).


It should be possible to modify the certificate profile to restrict the 
maximum validity of the issued certificate but I have no knowledge about 
that. I have CC'ed Fraser Tweedale (the blog post author), he may help 
you with this.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project