On 24/09/15 01:20, Fraser Tweedale wrote:
On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote:
On 23/09/15 11:03, Fraser Tweedale wrote:
On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote:
On 22/09/15 17:02, James Masson wrote:
Hi,
we're building IPAs in an automated fashion, for environments that get
created and destroyed a lot. At the moment, the CA certs used inside
these IPAs are self-signed, as part of the normal "ipa-server-install"
setup process.
We would like to switch to issuing signed intermediate CA certs to the
IPAs we deploy.
The documentation lists the two part process necessary for this. First
"--external-ca" - and then "--external-cert-file"
Are there any ways to skip this, and give the setup process a known
public/private key+cert up front? I'm hoping to avoid the need to have
to use/send this automatically generated CSR every time.
thanks
James M
Hello James,
currently it's not possible but making installation with externally signed
CA single step sounds really useful to me.
Currently certmonger is generating the CSR for FreeIPA server in the first
step of installation. Certmonger is also able to send certificate to
external CA for signing.
I'm not sure if we could combine these two cermonger's abilities right now
but if not it shouldn't be difficult to add functionality to certmonger to
send the CSR to preconfigured CA instead of just storing it in file.
This would of course require configuring the certmonger with information
about the CA before FreeIPA server installation but it's just one command
(getcert-add-ca).
Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
There are two sides to this - one is using Certmonger for automatic
signing of intermediate CA certificate to be used by IPA, the other
is simply using a CA cert that the administrator already possesses,
e.g. in a PKCS #12 file. These should be separate tickets.
Cheers,
Fraser
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Done -
https://fedorahosted.org/freeipa/ticket/5317
https://fedorahosted.org/freeipa/ticket/5318
Would it be possible to use Certmonger to help the 2 step process used at
the moment?
ie. run 'ipa-server-install' the first time - get the CSR
use local Certmonger to handle the CSR submission to upstream CA
use the resulting Cert in the second 'ipa-server-install'
Any pointers?
regards
James M
I don't see an option for certmonger to use an existing CSR but you
could ask it to create and track a new CSR for the same key. See
getcert-request(1) for full details.
Cheers,
Fraser
Any hints of how to make a request via Certmonger that would keep IPA happy?
Looking at the CSR, the awkward bits are...
###
Requested Extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
###
I presume this is done with...
-U EXTUSAGE set requested extended key usage OID
How do I convert the IPA CSR text output for use with Certmonger?
thanks
James M
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
