Thank you Martin that's very helpful. The annoying thing about cut/paste from web ui is that the cert is not wrapped at 60 chars like it should be, but I guess I'll have to wait for the save certificate functionality. Any idea of then that's planned for?
Regards Alessandro On 15 March 2016 at 08:50, Martin Babinsky <mbabi...@redhat.com> wrote: > On 03/15/2016 08:39 AM, Alessandro De Maria wrote: > >> Hello, >> >> I would like to have authenticated users to upload a csr request and >> have their certificate automatically signed. Their certificate would >> expire in x days. >> >> Given the short life of the certificate, I would then like them to be >> able to easily download the certificate. >> >> Any suggestion on how to do it? >> I would prefer the shell script approach but also having it self >> serviced on the web ui would be great. >> >> Regards >> >> >> -- >> Alessandro De Maria >> alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com> >> >> >> > Hi Alessandro, > > for FreeIPA 4.2+ you can use the following links as a guide to set up a > custom profile and CA ACL rules so that users can request certificates for > themselves: > > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test > > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ > > The user then can generate CSR request e.g. using OpenSSL and use 'ipa > cert-request' to send it to IPA CA. If you specify 'store=True' when adding > the custom certificate profile, the certificate will be added to the user > entry as 'usercertificate;binary' attribute which he can view from > CLI/WebUI as PEM and save it to a file by copy-pasting it (The > functionality to save the certificate directly to a file is under > development). > > It should be possible to modify the certificate profile to restrict the > maximum validity of the issued certificate but I have no knowledge about > that. I have CC'ed Fraser Tweedale (the blog post author), he may help you > with this. > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Alessandro De Maria alessandro.dema...@gmail.com
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project