Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
Bret Wortman wrote: On 06/03/2016 01:04 PM, Rob Crittenden wrote: Bret Wortman wrote: On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? No, I think you did the right thing, the default keysize was probably still 1024 in F21. I double-checked the getcert-request man page and it looks like it will use an existing key if one exists in the key file passed in so I was wrong about that bit. You just didn't need to use req to generate a CSR as certmonger will do that for you. Good to know. I tried the update-ca-trust on both the yum server and on my workstation but nothing changed even after an httpd restart. I did take a peek inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but I confess I'm not sure what should be where at this point). You'd only need to do this on the machine acting as a client. I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and trusted? $ certutil -L -d /etc/pki/nssdb It's in there on both the server and client. Hmm, this works for me on an F-21 system. I created an empty repo, added a yum config and was able to fetch it ok. yum uses libcurl under the hood, you might try the same certutil command using sql:/etc/pki/nssdb as the NSS database and add in the IPA CA to see if that helps. Again, it is only needed on the client. rob rob Bret rob On 06/03/2016 09:48 AM, Rob Crittenden wrote: Bret Wortman wrote: So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r I try not to argue with success but I'd be curious what is actually going on here. You generate a CSR and call it a certificate. It is probably the case that certmonger is ignoring it altogether and generating its own CSR. ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: # yum search ffmpeg Loaded plugins: langpacks https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." : Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. # ls -l /etc/ipa/ca.crt -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt # Pretty much only IPA tools know to use this file. My knowledge is a bit stale on adding the IPA CA to the global trust but I'm pretty sure it is done automatically now and I think it was in the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have this code. Look at this, https://fedoraproject.org/wiki/Features/SharedSystemCertificates The idea is to add the IPA CA to that and then all tools using SSL would "just work". Something like: # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust You'd need to remember to manually undo this if you ever redo your IPA install (and get a new CA): # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust Like I said, I'm pretty sure this is all automatic in some more recent versions of IPA. rob --- Bret On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote: Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , wrote: On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrot
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
On 06/03/2016 01:04 PM, Rob Crittenden wrote: Bret Wortman wrote: On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? No, I think you did the right thing, the default keysize was probably still 1024 in F21. I double-checked the getcert-request man page and it looks like it will use an existing key if one exists in the key file passed in so I was wrong about that bit. You just didn't need to use req to generate a CSR as certmonger will do that for you. Good to know. I tried the update-ca-trust on both the yum server and on my workstation but nothing changed even after an httpd restart. I did take a peek inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but I confess I'm not sure what should be where at this point). You'd only need to do this on the machine acting as a client. I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and trusted? $ certutil -L -d /etc/pki/nssdb It's in there on both the server and client. rob Bret rob On 06/03/2016 09:48 AM, Rob Crittenden wrote: Bret Wortman wrote: So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r I try not to argue with success but I'd be curious what is actually going on here. You generate a CSR and call it a certificate. It is probably the case that certmonger is ignoring it altogether and generating its own CSR. ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: # yum search ffmpeg Loaded plugins: langpacks https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." : Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. # ls -l /etc/ipa/ca.crt -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt # Pretty much only IPA tools know to use this file. My knowledge is a bit stale on adding the IPA CA to the global trust but I'm pretty sure it is done automatically now and I think it was in the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have this code. Look at this, https://fedoraproject.org/wiki/Features/SharedSystemCertificates The idea is to add the IPA CA to that and then all tools using SSL would "just work". Something like: # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust You'd need to remember to manually undo this if you ever redo your IPA install (and get a new CA): # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust Like I said, I'm pretty sure this is all automatic in some more recent versions of IPA. rob --- Bret On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote: Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , wrote: On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: Bret Wortman wrote: Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
I'll check and report back Tuesday. Bret Wortman http://wrapbuddies.co/ On Jun 3, 2016, 1:04 PM -0400, Rob Crittenden, wrote: > Bret Wortman wrote: > > > > > > On 06/03/2016 11:02 AM, Rob Crittenden wrote: > > > Bret Wortman wrote: > > > > I'm not sure I'd call what we have "success" just yet. ;-) > > > > > > > > You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and > > > > see how we go. > > > > > > > > Rob, would you have just used the existing "localhost.key" instead of > > > > generating a new one? > > > > > > No, I think you did the right thing, the default keysize was probably > > > still 1024 in F21. I double-checked the getcert-request man page and > > > it looks like it will use an existing key if one exists in the key > > > file passed in so I was wrong about that bit. You just didn't need to > > > use req to generate a CSR as certmonger will do that for you. > > > > > Good to know. > > > > I tried the update-ca-trust on both the yum server and on my workstation > > but nothing changed even after an httpd restart. I did take a peek > > inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and > > didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but > > I confess I'm not sure what should be where at this point). > > You'd only need to do this on the machine acting as a client. > > I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and trusted? > > $ certutil -L -d /etc/pki/nssdb > > rob > > > > > > > Bret > > > > > rob > > > > > > > > > > > > > > > On 06/03/2016 09:48 AM, Rob Crittenden wrote: > > > > > Bret Wortman wrote: > > > > > > So for our internal yum server, I created a new key and cert > > > > > > request (it > > > > > > had a localhost key and cert but I wanted to start clean): > > > > > > > > > > > > # openssl genrsa 2048>/etc/pki/tls/private/server.key > > > > > > # openssl req -new -x509 -nodes -sha1 -days 365 -key > > > > > > /etc/pki/tls/private/server.key>/etc/pki/tls/certs/server.crt > > > > > > # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k > > > > > > /etc/pki/tls/private/server.key -r > > > > > > > > > > I try not to argue with success but I'd be curious what is actually > > > > > going on here. You generate a CSR and call it a certificate. It is > > > > > probably the case that certmonger is ignoring it altogether and > > > > > generating its own CSR. > > > > > > > > > > > ipa-getcert list shows it approved. I set up SSL in apache to use > > > > > > the > > > > > > above .key and .crt, but when I try to run yum against this using > > > > > > ssl: > > > > > > > > > > > > # yum search ffmpeg > > > > > > Loaded plugins: langpacks > > > > > > https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: > > > > > > > > > > > > > > > > > > [Errno 14] curl#60 - "Peer's certificate issuer has been marked as > > > > > > not trusted by the user." > > > > > > : > > > > > > > > > > > > Is there a step I need to take on the clients so they'll accept this > > > > > > cert as trusted? I thought having it be signed by the IPA CA would > > > > > > have > > > > > > taken care of that. > > > > > > > > > > > > # ls -l /etc/ipa/ca.crt > > > > > > -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt > > > > > > # > > > > > > > > > > Pretty much only IPA tools know to use this file. > > > > > > > > > > My knowledge is a bit stale on adding the IPA CA to the global trust > > > > > but I'm pretty sure it is done automatically now and I think it was in > > > > > the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have > > > > > this code. > > > > > > > > > > Look at this, > > > > > https://fedoraproject.org/wiki/Features/SharedSystemCertificates > > > > > > > > > > The idea is to add the IPA CA to that and then all tools using SSL > > > > > would "just work". > > > > > > > > > > Something like: > > > > > > > > > > # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem > > > > > # update-ca-trust > > > > > > > > > > You'd need to remember to manually undo this if you ever redo your IPA > > > > > install (and get a new CA): > > > > > > > > > > # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem > > > > > # update-ca-trust > > > > > > > > > > Like I said, I'm pretty sure this is all automatic in some more recent > > > > > versions of IPA. > > > > > > > > > > rob > > > > > > > > > > > > > > > > > --- > > > > > > Bret > > > > > > > > > > > > On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote: > > > > > > > Cool. I'll give this a go in the morning. > > > > > > > > > > > > > > Bret Wortman > > > > > > > http://wrapbuddies.co/ > > > > > > > > > > > > > > On Jun 2, 2016, 6:24 PM -0400, Fraser > > > > > > > Tweedale, > > > > > > > wrote: > > > > > > > > On Thu, Jun 02, 2016 at 05:35:01PM -0400, > > > > > > > > bret.wort...@damascusgrp.com wrote: > > > > > > > > > Sorry, let me back up a step. We need to implement hype
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
Bret Wortman wrote: On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? No, I think you did the right thing, the default keysize was probably still 1024 in F21. I double-checked the getcert-request man page and it looks like it will use an existing key if one exists in the key file passed in so I was wrong about that bit. You just didn't need to use req to generate a CSR as certmonger will do that for you. Good to know. I tried the update-ca-trust on both the yum server and on my workstation but nothing changed even after an httpd restart. I did take a peek inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but I confess I'm not sure what should be where at this point). You'd only need to do this on the machine acting as a client. I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and trusted? $ certutil -L -d /etc/pki/nssdb rob Bret rob On 06/03/2016 09:48 AM, Rob Crittenden wrote: Bret Wortman wrote: So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r I try not to argue with success but I'd be curious what is actually going on here. You generate a CSR and call it a certificate. It is probably the case that certmonger is ignoring it altogether and generating its own CSR. ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: # yum search ffmpeg Loaded plugins: langpacks https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." : Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. # ls -l /etc/ipa/ca.crt -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt # Pretty much only IPA tools know to use this file. My knowledge is a bit stale on adding the IPA CA to the global trust but I'm pretty sure it is done automatically now and I think it was in the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have this code. Look at this, https://fedoraproject.org/wiki/Features/SharedSystemCertificates The idea is to add the IPA CA to that and then all tools using SSL would "just work". Something like: # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust You'd need to remember to manually undo this if you ever redo your IPA install (and get a new CA): # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust Like I said, I'm pretty sure this is all automatic in some more recent versions of IPA. rob --- Bret On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote: Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , wrote: On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: Bret Wortman wrote: Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution. Is it possible, and, since most online guides defer to "submit the CSR to Verisign" or whomever, how would you go about
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? No, I think you did the right thing, the default keysize was probably still 1024 in F21. I double-checked the getcert-request man page and it looks like it will use an existing key if one exists in the key file passed in so I was wrong about that bit. You just didn't need to use req to generate a CSR as certmonger will do that for you. Good to know. I tried the update-ca-trust on both the yum server and on my workstation but nothing changed even after an httpd restart. I did take a peek inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but I confess I'm not sure what should be where at this point). Bret rob On 06/03/2016 09:48 AM, Rob Crittenden wrote: Bret Wortman wrote: So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r I try not to argue with success but I'd be curious what is actually going on here. You generate a CSR and call it a certificate. It is probably the case that certmonger is ignoring it altogether and generating its own CSR. ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: # yum search ffmpeg Loaded plugins: langpacks https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." : Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. # ls -l /etc/ipa/ca.crt -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt # Pretty much only IPA tools know to use this file. My knowledge is a bit stale on adding the IPA CA to the global trust but I'm pretty sure it is done automatically now and I think it was in the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have this code. Look at this, https://fedoraproject.org/wiki/Features/SharedSystemCertificates The idea is to add the IPA CA to that and then all tools using SSL would "just work". Something like: # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust You'd need to remember to manually undo this if you ever redo your IPA install (and get a new CA): # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust Like I said, I'm pretty sure this is all automatic in some more recent versions of IPA. rob --- Bret On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote: Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , wrote: On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: Bret Wortman wrote: Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution. Is it possible, and, since most online guides defer to "submit the CSR to Verisign" or whomever, how would you go about producing one in this way? Not sure I understand the question. The IPA CA is also self-signed. For enrolled systems though at least the CA is pre-distributed so maybe that will help.
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? No, I think you did the right thing, the default keysize was probably still 1024 in F21. I double-checked the getcert-request man page and it looks like it will use an existing key if one exists in the key file passed in so I was wrong about that bit. You just didn't need to use req to generate a CSR as certmonger will do that for you. rob On 06/03/2016 09:48 AM, Rob Crittenden wrote: Bret Wortman wrote: So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r I try not to argue with success but I'd be curious what is actually going on here. You generate a CSR and call it a certificate. It is probably the case that certmonger is ignoring it altogether and generating its own CSR. ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: # yum search ffmpeg Loaded plugins: langpacks https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." : Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. # ls -l /etc/ipa/ca.crt -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt # Pretty much only IPA tools know to use this file. My knowledge is a bit stale on adding the IPA CA to the global trust but I'm pretty sure it is done automatically now and I think it was in the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have this code. Look at this, https://fedoraproject.org/wiki/Features/SharedSystemCertificates The idea is to add the IPA CA to that and then all tools using SSL would "just work". Something like: # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust You'd need to remember to manually undo this if you ever redo your IPA install (and get a new CA): # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust Like I said, I'm pretty sure this is all automatic in some more recent versions of IPA. rob --- Bret On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote: Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , wrote: On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: Bret Wortman wrote: Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution. Is it possible, and, since most online guides defer to "submit the CSR to Verisign" or whomever, how would you go about producing one in this way? Not sure I understand the question. The IPA CA is also self-signed. For enrolled systems though at least the CA is pre-distributed so maybe that will help. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? On 06/03/2016 09:48 AM, Rob Crittenden wrote: Bret Wortman wrote: So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r I try not to argue with success but I'd be curious what is actually going on here. You generate a CSR and call it a certificate. It is probably the case that certmonger is ignoring it altogether and generating its own CSR. ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: # yum search ffmpeg Loaded plugins: langpacks https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." : Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. # ls -l /etc/ipa/ca.crt -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt # Pretty much only IPA tools know to use this file. My knowledge is a bit stale on adding the IPA CA to the global trust but I'm pretty sure it is done automatically now and I think it was in the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have this code. Look at this, https://fedoraproject.org/wiki/Features/SharedSystemCertificates The idea is to add the IPA CA to that and then all tools using SSL would "just work". Something like: # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust You'd need to remember to manually undo this if you ever redo your IPA install (and get a new CA): # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust Like I said, I'm pretty sure this is all automatic in some more recent versions of IPA. rob --- Bret On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote: Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , wrote: On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: Bret Wortman wrote: Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution. Is it possible, and, since most online guides defer to "submit the CSR to Verisign" or whomever, how would you go about producing one in this way? Not sure I understand the question. The IPA CA is also self-signed. For enrolled systems though at least the CA is pre-distributed so maybe that will help. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
Bret Wortman wrote: So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r I try not to argue with success but I'd be curious what is actually going on here. You generate a CSR and call it a certificate. It is probably the case that certmonger is ignoring it altogether and generating its own CSR. ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: # yum search ffmpeg Loaded plugins: langpacks https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." : Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. # ls -l /etc/ipa/ca.crt -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt # Pretty much only IPA tools know to use this file. My knowledge is a bit stale on adding the IPA CA to the global trust but I'm pretty sure it is done automatically now and I think it was in the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have this code. Look at this, https://fedoraproject.org/wiki/Features/SharedSystemCertificates The idea is to add the IPA CA to that and then all tools using SSL would "just work". Something like: # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust You'd need to remember to manually undo this if you ever redo your IPA install (and get a new CA): # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust Like I said, I'm pretty sure this is all automatic in some more recent versions of IPA. rob --- Bret On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote: Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , wrote: On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: Bret Wortman wrote: Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution. Is it possible, and, since most online guides defer to "submit the CSR to Verisign" or whomever, how would you go about producing one in this way? Not sure I understand the question. The IPA CA is also self-signed. For enrolled systems though at least the CA is pre-distributed so maybe that will help. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: # yum search ffmpeg Loaded plugins: langpacks https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." : Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. # ls -l /etc/ipa/ca.crt -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt # --- Bret On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote: Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , wrote: On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: Bret Wortman wrote: Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution. Is it possible, and, since most online guides defer to "submit the CSR to Verisign" or whomever, how would you go about producing one in this way? Not sure I understand the question. The IPA CA is also self-signed. For enrolled systems though at least the CA is pre-distributed so maybe that will help. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale, wrote: > On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: > > Sorry, let me back up a step. We need to implement hype > > everywhere. All our web services. And clients need to get > > keys&certs automatically whether through IPA or Puppet. These > > systems use IPA for everything but authentication (to keep most > > users off). I'm trying to wuss out the easiest way to make this > > happen smoothly. > > > Hi Bret, > > You can use the IPA CA to sign service certificates. See > http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. > > IPA-enrolled machines already have the IPA certificate in their > trust store. If the clients are IPA-enrolled, everything should > Just Work, otherwise you can distribute the IPA CA certificate to > clients via Puppet** or whatever means you prefer. > > ** you will have to work out how, because I do not know Puppet :) > > Cheers, > Fraser > > > > > > > On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: > > > Bret Wortman wrote: > > > > Is it possible to use our freeipa CA as a trusted CA to sign our > > > > internal SSL certificates? Our system runs on a private network and so > > > > using the usual trusted sources isn't an option. We've been using > > > > self-signed, but that adds some additional complications and we thought > > > > this might be a good solution. > > > > > > > > Is it possible, and, since most online guides defer to "submit the CSR > > > > to Verisign" or whomever, how would you go about producing one in this > > > > way? > > > > > > Not sure I understand the question. The IPA CA is also self-signed. For > > > enrolled systems though at least the CA is pre-distributed so maybe that > > > will help. > > > > > > rob > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: > Sorry, let me back up a step. We need to implement hype > everywhere. All our web services. And clients need to get > keys&certs automatically whether through IPA or Puppet. These > systems use IPA for everything but authentication (to keep most > users off). I'm trying to wuss out the easiest way to make this > happen smoothly. > Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser > > > On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: > > Bret Wortman wrote: > > > Is it possible to use our freeipa CA as a trusted CA to sign our > > > internal SSL certificates? Our system runs on a private network and so > > > using the usual trusted sources isn't an option. We've been using > > > self-signed, but that adds some additional complications and we thought > > > this might be a good solution. > > > > > > Is it possible, and, since most online guides defer to "submit the CSR > > > to Verisign" or whomever, how would you go about producing one in this > > > way? > > > > Not sure I understand the question. The IPA CA is also self-signed. For > > enrolled systems though at least the CA is pre-distributed so maybe that > > will help. > > > > rob > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: > Bret Wortman wrote: > > Is it possible to use our freeipa CA as a trusted CA to sign our > > internal SSL certificates? Our system runs on a private network and so > > using the usual trusted sources isn't an option. We've been using > > self-signed, but that adds some additional complications and we thought > > this might be a good solution. > > > > Is it possible, and, since most online guides defer to "submit the CSR > > to Verisign" or whomever, how would you go about producing one in this way? > > Not sure I understand the question. The IPA CA is also self-signed. For > enrolled systems though at least the CA is pre-distributed so maybe that > will help. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
Bret Wortman wrote: Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution. Is it possible, and, since most online guides defer to "submit the CSR to Verisign" or whomever, how would you go about producing one in this way? Not sure I understand the question. The IPA CA is also self-signed. For enrolled systems though at least the CA is pre-distributed so maybe that will help. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
