Re: [Freeipa-users] PKI signing certificate question
Mateusz >> > There is "X.509 Name Constraints" extension for certificates, however >> > external CA would have to make this extension as "critical" (which would >> > probably cause compatibility issues with some software - "critical" means >> > that if some app doesn't know how to handle this extension, it has to >> > report >> > error and do not proceed with establishing secure connection). >> >> The certificate with CA basic constraint would only have been used on >> freeIPA, not on other servers. I believe freeIPA could handle such a >> certificate. > > FreeIPA should be perfectly fine, the problem is with workstations. While > (almost?) all software is capable of understanding CA basic constraint (as > it was known and used for ages), limiting CA to single domain zone using > X.509 Name Constraints can have some side effects (apps on user workstation > have to validate all certificates up to root CA - if it happens that they > don't understand name constraints, they will choke on IPA CA certificate if > such extension is marked "critical"; I think that's the case with majority > of Apple devices). I'm not aware of any CA that issues technically > constrained sub-CAs and I think that according to latest guidelines, they > are required to publicly disclose other sub-CAs issued (and such CAs have to > undergo full WebTrust audit and have CPS just like regular CA). > Interesting, now I understand what you meant. Make a lot of sense. >> > As I understand, --external-ca option should be used when you already >> > have configured PKI infrastructure in your network (for example Active >> > Directory Certificate Services) and spinning another internal CA is not a >> > big deal. You've mentioned that there is already an Active Directory >> > domain, >> > (...) >> > >> Interesting. Active Directory certificate service would also be using self >> signed certificate, correct? > > Correct. AD Certificate Service can generate its own self-signed root CA > certificate, just like FreeIPA with internal CA does. As far as I know, > depending on how you initialize AD CS, this certificate would be deployed to > domain-joined machines automatically or you would have to push it through > Group Policies. Thanks, I understand the purpose of --external-ca flag now petty well > -- > Best regards > Mateusz Małek Thanks a lot Mateusz. Really appreciate your great response. I now do feel I have all the info I was looking for when I started this thread. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI signing certificate question
William, On 02.08.2016 at 00:41, William Muriithi wrote: > > > > Which external CA would be more open to signing this kind of certificate? > > > > I'm afraid that there is not a single external CA that would sign request for CA certificate. (...) > > Understandable. Did speak with them and realised its not a straight forward thing. As I understand, some CA like Symantec may allow sub CA. They still would not allow you to have control of sub-CA private key, probably. After numerous incidents with mis-issued certificates, browser vendors want to be rather safe than sorry - and they have "no mercy" policy for any incidents (Symantec is forced to report every certificate issued to publicly available certificate transparency logservers, CNNIC can no longer issue valid certificates), which makes CA owners rather cautious. Revoking trust in one's root CA can even result in bankruptcy of such company (see DigiNotar case). > > There is "X.509 Name Constraints" extension for certificates, however external CA would have to make this extension as "critical" (which would probably cause compatibility issues with some software - "critical" means that if some app doesn't know how to handle this extension, it has to report error and do not proceed with establishing secure connection). > > The certificate with CA basic constraint would only have been used on freeIPA, not on other servers. I believe freeIPA could handle such a certificate. FreeIPA should be perfectly fine, the problem is with workstations. While (almost?) all software is capable of understanding CA basic constraint (as it was known and used for ages), limiting CA to single domain zone using X.509 Name Constraints can have some side effects (apps on user workstation have to validate all certificates up to root CA - if it happens that they don't understand name constraints, they will choke on IPA CA certificate if such extension is marked "critical"; I think that's the case with majority of Apple devices). I'm not aware of any CA that issues technically constrained sub-CAs and I think that according to latest guidelines, they are required to publicly disclose other sub-CAs issued (and such CAs have to undergo full WebTrust audit and have CPS just like regular CA). I'm using name-constrained CA certificate from our internal root CA, however, name constraints extension is not marked as critical. Our internally-issued certificates are to be seen only by admins, so it's just additional precaution (in case some admin would find it funny to use certificate issued from internal CA to MitM another admin) rather than security measure. > > As I understand, --external-ca option should be used when you already have configured PKI infrastructure in your network (for example Active Directory Certificate Services) and spinning another internal CA is not a big deal. You've mentioned that there is already an Active Directory domain, (...) > > > Interesting. Active Directory certificate service would also be using self signed certificate, correct? Correct. AD Certificate Service can generate its own self-signed root CA certificate, just like FreeIPA with internal CA does. As far as I know, depending on how you initialize AD CS, this certificate would be deployed to domain-joined machines automatically or you would have to push it through Group Policies. > Saw another thread today of someone using --external-ca flag. Wish someone who has gone through the process could document the process including if they are using external CA Installation with external CA is quite similar to default setup - when you indicate that you want to use external CA, installation process has two phases. First, ipa-server-install performs some tasks and generates CSR request file. Then, you sign it using your other CA (just make sure it preserves CA constraint; we were using EasyRSA, which has separate command/profile for creating subordinate CAs). Next, you save your signed certificate back to your new IPA server and invoke installer once again with additional arguments (this command is shown when first stage finishes) - and configuration process continues just like without external CA. -- Best regards Mateusz Małek Network and Computer Systems Administrator Intelligent Information Systems Group Department of Computer Science AGH University of Science and Technology -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI signing certificate question
Mateusz > > > > Which external CA would be more open to signing this kind of certificate? > > I'm afraid that there is not a single external CA that would sign request for CA certificate. They need to make sure that certificate would not be used for fraudulent purposes (for e.g. Man-in-the-Middle attacks) which usually means that they keep control of all subordinate CAs they create (you can only place requests for client or server certificates - but domain ownership validation and certificate issuance takes place in their infrastructure) or they verified that you securely store your private key in dedicated HSM and have adequate policies and rules regarding certificate issuance. Understandable. Did speak with them and realised its not a straight forward thing. As I understand, some CA like Symantec may allow sub CA. > > There is "X.509 Name Constraints" extension for certificates, however external CA would have to make this extension as "critical" (which would probably cause compatibility issues with some software - "critical" means that if some app doesn't know how to handle this extension, it has to report error and do not proceed with establishing secure connection). The certificate with CA basic constraint would only have been used on freeIPA, not on other servers. I believe freeIPA could handle such a certificate. > As I understand, --external-ca option should be used when you already have configured PKI infrastructure in your network (for example Active Directory Certificate Services) and spinning another internal CA is not a big deal. You've mentioned that there is already an Active Directory domain, so the last options seems the easiest one - internal CA root certificate can be deployed to Windows workstation using AD and IPA configured with external CA would automatically deploy internal root CA to Linux workstations on during ipa-client-install. > Interesting. Active Directory certificate service would also be using self signed certificate, correct? Saw another thread today of someone using --external-ca flag. Wish someone who has gone through the process could document the process including if they are using external CA > -- > Best regards > Mateusz Małek Appreciate your feedback a lot. William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI signing certificate question
William, On 29.07.2016 at 22:27, William Muriithi wrote: > Is anyone here been successful in getting external CA to sign this kind of certificate? I have just tried to convince DigiCert for 2 days that there is no harm issuing this kind of certificate as long us it's restricted to one domain without success. > > Which external CA would be more open to signing this kind of certificate? I'm afraid that there is not a single external CA that would sign request for CA certificate. They need to make sure that certificate would not be used for fraudulent purposes (for e.g. Man-in-the-Middle attacks) which usually means that they keep control of all subordinate CAs they create (you can only place requests for client or server certificates - but domain ownership validation and certificate issuance takes place in their infrastructure) or they verified that you securely store your private key in dedicated HSM and have adequate policies and rules regarding certificate issuance. There is "X.509 Name Constraints" extension for certificates, however external CA would have to make this extension as "critical" (which would probably cause compatibility issues with some software - "critical" means that if some app doesn't know how to handle this extension, it has to report error and do not proceed with establishing secure connection). Also, if they decide to sell such CA certificate, it would probably be much more expensive than "simple" one (as this would allow you to issue further certificates for your domain without paying external CAs for them). You can either go CA-less and buy certificates for all your services or use free certificates from Let's Encrypt (if you want to want your certificates to validate "nicely" on users own devices) or use internal CA and install its root certificate on all hosts using your IPA server. As I understand, --external-ca option should be used when you already have configured PKI infrastructure in your network (for example Active Directory Certificate Services) and spinning another internal CA is not a big deal. You've mentioned that there is already an Active Directory domain, so the last options seems the easiest one - internal CA root certificate can be deployed to Windows workstation using AD and IPA configured with external CA would automatically deploy internal root CA to Linux workstations on during ipa-client-install. -- Best regards Mateusz Małek Network and Computer Systems Administrator Intelligent Information Systems Group Department of Computer Science AGH University of Science and Technology -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI signing certificate question
Clark, Thank you. > I personally haven't done this, but from https://www.freeipa.org/page/PKI > > "when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." > Is anyone here been successful in getting external CA to sign this kind of certificate? I have just tried to convince DigiCert for 2 days that there is no harm issuing this kind of certificate as long us it's restricted to one domain without success. Which external CA would be more open to signing this kind of certificate? Lastly, would there be any harm enrolling IPA clients to this server before feeding it the signed certificate ? Regards William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI signing certificate question
I personally haven't done this, but from https://www.freeipa.org/page/PKI "when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." and from https://www.redhat.com/archives/freeipa-users/2014-January/msg00057.html "First run ipa-server-install with --external-ca, which will create a CSR for IPA CA certificate in /root/ipa.csr. Then sign the CSR with the external CA to get the IPA CA certificate. Finally, run ipa-server-install with --external_cert_file pointing to the IPA CA certificate and --external_ca_file pointing to CA certificate of the external CA." >From that previous paragraph, it looks like the --external-ca option doesn't actually install anything, just creates the correct CSR for the domain you intend to create. If you can create a temporary CentOS virtual machine you could run the "ipa-server-install --external-ca" command and see what happens :) Hope this helps, Anthony Clark On Wed, Jul 27, 2016 at 11:24 PM, William Muriithi < william.murii...@gmail.com> wrote: > Hello > > I want to use an external certificate when setting up a new FreeIPA > next week and plan to send the CSR tomorrow. > > I would like to source a certificate for example.com and use it on > FreeIPA on eng.example.com. I can't specifically set the FreeIPA on > example.com because we have active directory on corp.example.com > > Is there a way for using FreeIPA with such a setup? I am hoping that > if I can setup FreeIPA using example.com, I can be able to generate > certificates for both Windows and Linux plus other like > vpn.example.com that don't sit well on either AD or FreeIPA domain. > > Whats the best way to approach this? If not possible, would setting > FreeIPA as a sub domain for active directory help? > > Regards, > > William > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
