On Fri, Jan 21, 2022 at 04:50:36AM +0300, Omar Aloraini via FreeIPA-users wrote: > I'm trying to create a sub CA that is managed by IPA and be able to sign > certificates with arbitrary subjects. > > You can create a profile for a sub CA and sign the sub CA certificate. I > have followed this guide previously with success: > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html > > Doing it this way, you have to manage the private key yourself. What I want > to do now is to let IPA manage the private key and the sub CA just like the > root CA. This will let me use the IPA API to request certificates with the > issuesr set to the sub CA. > > I did roughly the following: > # ipa ca-add kubernetes-ca --subject=CN=kubernetes-ca,O=$DOMAIN > --desc='Kubernetes general CA' > # ipa ca-add etcd-ca --subject=CN=etcd-ca,O=$DOMAIN --desc='For all > etcd-related functions' > # ipa ca-add kubernetes-front-proxy-ca > --subject=CN=kubernetes-front-proxy-ca,O=$DOMAIN --desc='For the front-end > proxy' > # ipa certprofile-import ipaSubCA --desc "IPA Managed Sub CA certs" --file > subCA.cfg --store=1 > # ipa host-add --no-reverse --force k8s.$DOMAIN > # ipa caacl-add ipaSubCA > # ipa caacl-add-ca ipaSubCA --ca kubernetes-ca > # ipa caacl-add-profile ipaSubCA --certprofile ipaSubCA > # ipa caacl-add-host ipaSubCA --hosts k8s.$DOMAIN > > When creating the profile, I removed the common name constraint and the > commonNameToSANDefaultImpl as per the guide. > > My ipaSubCA.cfg <<<snip>>> > > When I try to generate a certificate using ipa-getcert: > sudo ipa-getcert request -f /etc/pki/tls/certs/app12.crt -k > /etc/pki/tls/private/app12.key -K host/ipa.home.arpa -X kubernetes-ca -N > kube-apiserver --profile ipaSubCA > > I get the following error: > Server at https://ipa.home.arpa/ipa/json denied our request, giving up: > 3009 (invalid 'csr': hostname in subject of request 'kube-apiserver' does > not match name or aliases of principal 'host/ipa.home.a...@home.arpa') > > I'm not really fimilar with IPA design, but I'm guessing the there is > validation happening at both IPA(caacl) and dogtag. > Correct. IPA validates CSRs against a real host, user or service object. There is no way to issue certificates with arbitrary subjects. Other than by issing a sub-CA to an external issuer - which is an approach you are already aware of.
> Is it possible to get such configratuon working? Or should I just mange the > private key myself? > > I haven't tried prinipal aliases. They might work, but they are global > object which will cause problems for me. > You can get further, but you still can't have arbitrary subjects. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
