Hi.
On 10/12/20 3:05 AM, Fraser Tweedale via FreeIPA-users wrote:
On Thu, Oct 08, 2020 at 10:03:03PM +0200, Radoslaw Kujawa via
FreeIPA-users wrote:
> On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote:
>> Radosław Kujawa via FreeIPA-users wrote:
>>>
>>> Is it possible to add email subjectAltName to a certificate when it is
>>> being signed by the IPA?
>>>
>>
>> How would the profile know what e-mail to add?
>>
>
> These certificates are treated by IPA as "user certificates". The CN is
set
> to IPA user's login.
>
> By some magic, IPA knows that such certificate should be added to LDAP
> object representing particular user.
>
> I hoped it would be possible to instruct it, to fetch the email attribute
> from LDAP object when signing the cert (based on the CN) and put it into
> subjectAltName.
>
A modern enterprise PKI should be able to do it. But FreeIPA
cannot. It's fundamentally possible but a lot of work to achieve
it. I blogged about it several years ago:
https://frasertweedale.github.io/blog-redhat/posts/2015-11-04-freeipa-pki...
For now, you must get the rfc822Name into the CSR's SAN extension,
somehow. What tool are you using to generate those CSRs? Perhaps
we can help find a way to do it.
Long story short, the organization where I work have adopted Yubikeys as
primary authentication method. This is working out well for us so far.
Since we are already using IPA user certificates for PIV authentication,
the thought appeared that we could use the same certs for S/MIME (at
least Evolution appears to be able to successfully access the PIV cert
on Yubikey to perform signing).
The Yubikey "provisioning" process is currently self-service. Due to
small size of organization (and the fact that currently most people work
from home), it would be nice if it could stay this way. All users
equipped with Yubikey have CA ACL that allows them to request certs
using customized caIPAuserCert profile.
Currently, from the user's perspective this is as simple as:
$ yubico-piv-tool --key=$KEY -a generate -s 9a -A RSA2048 -o pub.pem
$ yubico-piv-tool -a verify -a request -s 9a -P $PIN -S "/CN=$(whoami)/"
-i pub.pem -o req.pem
$ ipa cert-request --profile-id=caIPAuserCert --principal $(whoami) req.pem
Then downloading the signed user certificate and running
$ yubico-piv-tool --key=$KEY -a import-certificate -i cert.pem -s 9a
Note that in this setup the private key is generated on the Yubikey and
never leaves the device.
The yubico-piv-tool -a request does not seem to have an option to add
any kind of SAN to CSR.
I know at least theoretically it is possible to generate the private key
and CSR using openssl, then sign in IPA, and import the resulting
private key and certificate onto Yubikey. However, from a security
perspective, I see more opportunities for the user to mess up something
here.
One more doubt appears here. I obviously wouldn't want the user to sign
a certificate with different email in CSR than appears in their own LDAP
object...
Best regards,
Radoslaw