On Tuesday, January 17, 2017 2:09:08 PM CST Phil Ingram wrote: > To whom this may concern, > > I use FreeIPA and I would like to create certificates for peer-to-peer and > remote-access VPNs. In speaking with Fraser Tweedale, we agree that the > best way forward is to create a secondary CA for insulation; but we may > also need to create a custom certificate profile, which is non-trivial. As > an end user of FreeIPA, I would like documentation on how to do this. > > I use pfSense which requires that I upload the CA cert, a server cert and > its private key. The private key for the CA is optional and only required > for pfSense to self manage a CRL. On the server side I can also enforce the > certificate depth; from none, to one through five. The only existing > references to VPN in the current docs are: > > * http://www.freeipa.org/page/V4/Sub-CAs#VPN_authentication > > * http://www.freeipa.org/page/User_certificate_use_cases > > > Regards, > > Phil
I haven't used a sub-CA yet, but the attached certificate profiles have worked well for me using OpenVPN. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
auth.instance_id=raCertAuth classId=caEnrollImpl desc=This certificate profile is for enrolling OpenVPN client certificates with IPA-RA agent authentication. enable=true enableBy=ipara input.i1.class_id=certReqInputImpl input.i2.class_id=submitterInfoInputImpl input.list=i1,i2 name=IPA-RA Agent-Authenticated OpenVPN Client Certificate Enrollment output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.accept=true policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl policyset.serverCertSet.1.default.name=Subject Name Default policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=EXAMPLE.COM policyset.serverCertSet.10.constraint.class_id=noConstraintImpl policyset.serverCertSet.10.constraint.name=No Constraint policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default policyset.serverCertSet.10.default.params.critical=false policyset.serverCertSet.11.constraint.class_id=noConstraintImpl policyset.serverCertSet.11.constraint.name=No Constraint policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.11.default.name=User Supplied Extension Default policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl policyset.serverCertSet.2.constraint.name=Validity Constraint policyset.serverCertSet.2.constraint.params.notAfterCheck=false policyset.serverCertSet.2.constraint.params.notBeforeCheck=false policyset.serverCertSet.2.constraint.params.range=740 policyset.serverCertSet.2.default.class_id=validityDefaultImpl policyset.serverCertSet.2.default.name=Validity Default policyset.serverCertSet.2.default.params.range=731 policyset.serverCertSet.2.default.params.startTime=0 policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl policyset.serverCertSet.3.constraint.name=Key Constraint policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 policyset.serverCertSet.3.constraint.params.keyType=RSA policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl policyset.serverCertSet.3.default.name=Key Default policyset.serverCertSet.4.constraint.class_id=noConstraintImpl policyset.serverCertSet.4.constraint.name=No Constraint policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl policyset.serverCertSet.4.default.name=Authority Key Identifier Default policyset.serverCertSet.5.constraint.class_id=noConstraintImpl policyset.serverCertSet.5.constraint.name=No Constraint policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl policyset.serverCertSet.5.default.name=AIA Extension Default policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint policyset.serverCertSet.6.constraint.params.keyUsageCritical=true policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.serverCertSet.6.default.name=Key Usage Default policyset.serverCertSet.6.default.params.keyUsageCritical=true policyset.serverCertSet.6.default.params.keyUsageCrlSign=false policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false policyset.serverCertSet.7.constraint.class_id=noConstraintImpl policyset.serverCertSet.7.constraint.name=No Constraint policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=true policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default policyset.serverCertSet.9.default.params.crlDistPointsCritical=false policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName policyset.serverCertSet.9.default.params.crlDistPointsNum=1 policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.example.com/ipa/crl/MasterCRL.bin policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 visible=false
auth.instance_id=raCertAuth classId=caEnrollImpl desc=This certificate profile is for enrolling OpenVPN server certificates with IPA-RA agent authentication. enable=true enableBy=ipara input.i1.class_id=certReqInputImpl input.i2.class_id=submitterInfoInputImpl input.list=i1,i2 name=IPA-RA Agent-Authenticated OpenVPN Server Certificate Enrollment output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.accept=true policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl policyset.serverCertSet.1.default.name=Subject Name Default policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=EXAMPLE.COM policyset.serverCertSet.10.constraint.class_id=noConstraintImpl policyset.serverCertSet.10.constraint.name=No Constraint policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default policyset.serverCertSet.10.default.params.critical=false policyset.serverCertSet.11.constraint.class_id=noConstraintImpl policyset.serverCertSet.11.constraint.name=No Constraint policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.11.default.name=User Supplied Extension Default policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl policyset.serverCertSet.2.constraint.name=Validity Constraint policyset.serverCertSet.2.constraint.params.notAfterCheck=false policyset.serverCertSet.2.constraint.params.notBeforeCheck=false policyset.serverCertSet.2.constraint.params.range=740 policyset.serverCertSet.2.default.class_id=validityDefaultImpl policyset.serverCertSet.2.default.name=Validity Default policyset.serverCertSet.2.default.params.range=731 policyset.serverCertSet.2.default.params.startTime=0 policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl policyset.serverCertSet.3.constraint.name=Key Constraint policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 policyset.serverCertSet.3.constraint.params.keyType=RSA policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl policyset.serverCertSet.3.default.name=Key Default policyset.serverCertSet.4.constraint.class_id=noConstraintImpl policyset.serverCertSet.4.constraint.name=No Constraint policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl policyset.serverCertSet.4.default.name=Authority Key Identifier Default policyset.serverCertSet.5.constraint.class_id=noConstraintImpl policyset.serverCertSet.5.constraint.name=No Constraint policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl policyset.serverCertSet.5.default.name=AIA Extension Default policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint policyset.serverCertSet.6.constraint.params.keyUsageCritical=true policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.serverCertSet.6.default.name=Key Usage Default policyset.serverCertSet.6.default.params.keyUsageCritical=true policyset.serverCertSet.6.default.params.keyUsageCrlSign=false policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false policyset.serverCertSet.7.constraint.class_id=noConstraintImpl policyset.serverCertSet.7.constraint.name=No Constraint policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=true policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default policyset.serverCertSet.9.default.params.crlDistPointsCritical=false policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName policyset.serverCertSet.9.default.params.crlDistPointsNum=1 policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.example.com/ipa/crl/MasterCRL.bin policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 visible=false
signature.asc
Description: This is a digitally signed message part.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project