I'm trying to create a sub CA that is managed by IPA and be able to sign certificates with arbitrary subjects.
You can create a profile for a sub CA and sign the sub CA certificate. I have followed this guide previously with success: https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html Doing it this way, you have to manage the private key yourself. What I want to do now is to let IPA manage the private key and the sub CA just like the root CA. This will let me use the IPA API to request certificates with the issuesr set to the sub CA. I did roughly the following: # ipa ca-add kubernetes-ca --subject=CN=kubernetes-ca,O=$DOMAIN --desc='Kubernetes general CA' # ipa ca-add etcd-ca --subject=CN=etcd-ca,O=$DOMAIN --desc='For all etcd-related functions' # ipa ca-add kubernetes-front-proxy-ca --subject=CN=kubernetes-front-proxy-ca,O=$DOMAIN --desc='For the front-end proxy' # ipa certprofile-import ipaSubCA --desc "IPA Managed Sub CA certs" --file subCA.cfg --store=1 # ipa host-add --no-reverse --force k8s.$DOMAIN # ipa caacl-add ipaSubCA # ipa caacl-add-ca ipaSubCA --ca kubernetes-ca # ipa caacl-add-profile ipaSubCA --certprofile ipaSubCA # ipa caacl-add-host ipaSubCA --hosts k8s.$DOMAIN When creating the profile, I removed the common name constraint and the commonNameToSANDefaultImpl as per the guide. My ipaSubCA.cfg auth.instance_id=raCertAuth classId=caEnrollImpl desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. enable=true enableBy=ipara input.i1.class_id=certReqInputImpl input.i2.class_id=submitterInfoInputImpl input.list=i1,i2 name=IPA-RA Agent-Authenticated Server Certificate Enrollment output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet policyset.serverCertSet.1.constraint.class_id=noConstraintImpl policyset.serverCertSet.1.constraint.name=No Constraint policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl policyset.serverCertSet.1.default.name=Subject Name Default policyset.serverCertSet.10.constraint.class_id=noConstraintImpl policyset.serverCertSet.10.constraint.name=No Constraint policyset.serverCertSet.10.default.class_id =subjectKeyIdentifierExtDefaultImpl policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default policyset.serverCertSet.10.default.params.critical=false policyset.serverCertSet.11.constraint.class_id=noConstraintImpl policyset.serverCertSet.11.constraint.name=No Constraint policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.11.default.name=User Supplied Extension Default policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 policyset.serverCertSet.12.constraint.class_id=noConstraintImpl policyset.serverCertSet.12.constraint.name=No Constraint policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl policyset.serverCertSet.2.constraint.name=Validity Constraint policyset.serverCertSet.2.constraint.params.notAfterCheck=false policyset.serverCertSet.2.constraint.params.notBeforeCheck=false policyset.serverCertSet.2.constraint.params.range=365 policyset.serverCertSet.2.default.class_id=validityDefaultImpl policyset.serverCertSet.2.default.name=Validity Default policyset.serverCertSet.2.default.params.range=365 policyset.serverCertSet.2.default.params.startTime=0 policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl policyset.serverCertSet.3.constraint.name=Key Constraint policyset.serverCertSet.3.constraint.params.keyParameters =1024,2048,3072,4096,8192 policyset.serverCertSet.3.constraint.params.keyType=RSA policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl policyset.serverCertSet.3.default.name=Key Default policyset.serverCertSet.4.constraint.class_id=noConstraintImpl policyset.serverCertSet.4.constraint.name=No Constraint policyset.serverCertSet.4.default.class_id =authorityKeyIdentifierExtDefaultImpl policyset.serverCertSet.4.default.name=Authority Key Identifier Default policyset.serverCertSet.5.constraint.class_id=noConstraintImpl policyset.serverCertSet.5.constraint.name=No Constraint policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl policyset.serverCertSet.5.default.name=AIA Extension Default policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0 =URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= http://ipa-ca.home.arpa/ca/ocsp policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0 =1.3.6.1.5.5.7.48.1 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint policyset.serverCertSet.6.constraint.params.keyUsageCritical=true policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.serverCertSet.6.default.name=Key Usage Default policyset.serverCertSet.6.default.params.keyUsageCritical=true policyset.serverCertSet.6.default.params.keyUsageCrlSign=false policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true policyset.serverCertSet.7.constraint.class_id=noConstraintImpl policyset.serverCertSet.7.constraint.name=No Constraint policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs =1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint policyset.serverCertSet.8.constraint.params.signingAlgsAllowed =SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id =crlDistributionPointsExtDefaultImpl policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default policyset.serverCertSet.9.default.params.crlDistPointsCritical=false policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0 =DirectoryName policyset.serverCertSet.9.default.params.crlDistPointsNum=1 policyset.serverCertSet.9.default.params.crlDistPointsPointName_0= http://ipa-ca.home.arpa/ipa/crl/MasterCRL.bin policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 profileId=ipaSubCA visible=false When I try to generate a certificate using ipa-getcert: sudo ipa-getcert request -f /etc/pki/tls/certs/app12.crt -k /etc/pki/tls/private/app12.key -K host/ipa.home.arpa -X kubernetes-ca -N kube-apiserver --profile ipaSubCA I get the following error: Server at https://ipa.home.arpa/ipa/json denied our request, giving up: 3009 (invalid 'csr': hostname in subject of request 'kube-apiserver' does not match name or aliases of principal 'host/ipa.home.a...@home.arpa') I'm not really fimilar with IPA design, but I'm guessing the there is validation happening at both IPA(caacl) and dogtag. Is it possible to get such configratuon working? Or should I just mange the private key myself? I haven't tried prinipal aliases. They might work, but they are global object which will cause problems for me. thanks,
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
