On Fri, Jan 21, 2022 at 04:50:36AM +0300, Omar Aloraini via FreeIPA-users wrote:
I'm trying to create a sub CA that is managed by IPA and be able
to sign
certificates with arbitrary subjects.
You can create a profile for a sub CA and sign the sub CA certificate. I
have followed this guide previously with success:
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
Doing it this way, you have to manage the private key yourself. What I want
to do now is to let IPA manage the private key and the sub CA just like the
root CA. This will let me use the IPA API to request certificates with the
issuesr set to the sub CA.
I did roughly the following:
# ipa ca-add kubernetes-ca --subject=CN=kubernetes-ca,O=$DOMAIN
--desc='Kubernetes general CA'
# ipa ca-add etcd-ca --subject=CN=etcd-ca,O=$DOMAIN --desc='For all
etcd-related functions'
# ipa ca-add kubernetes-front-proxy-ca
--subject=CN=kubernetes-front-proxy-ca,O=$DOMAIN --desc='For the front-end
proxy'
# ipa certprofile-import ipaSubCA --desc "IPA Managed Sub CA certs" --file
subCA.cfg --store=1
# ipa host-add --no-reverse --force k8s.$DOMAIN
# ipa caacl-add ipaSubCA
# ipa caacl-add-ca ipaSubCA --ca kubernetes-ca
# ipa caacl-add-profile ipaSubCA --certprofile ipaSubCA
# ipa caacl-add-host ipaSubCA --hosts k8s.$DOMAIN
When creating the profile, I removed the common name constraint and the
commonNameToSANDefaultImpl as per the guide.
My ipaSubCA.cfg
<<<snip>>>
When I try to generate a certificate using ipa-getcert:
sudo ipa-getcert request -f /etc/pki/tls/certs/app12.crt -k
/etc/pki/tls/private/app12.key -K host/ipa.home.arpa -X kubernetes-ca -N
kube-apiserver --profile ipaSubCA
I get the following error:
Server at
https://ipa.home.arpa/ipa/json denied our request, giving up:
3009 (invalid 'csr': hostname in subject of request 'kube-apiserver'
does
not match name or aliases of principal 'host/ipa.home.arpa(a)HOME.ARPA')
I'm not really fimilar with IPA design, but I'm guessing the there is
validation happening at both IPA(caacl) and dogtag.
Correct. IPA validates CSRs against a real host, user or service
object. There is no way to issue certificates with arbitrary
subjects. Other than by issing a sub-CA to an external issuer -
which is an approach you are already aware of.
Is it possible to get such configratuon working? Or should I just
mange the
private key myself?
I haven't tried prinipal aliases. They might work, but they are global
object which will cause problems for me.
You can get further, but you still can't have arbitrary subjects.
Cheers,
Fraser