Ian Pilcher wrote:
On 01/30/2018 02:27 PM, Rob Crittenden wrote:
> Not sure what you mean by arbitrary. You can definitely generate a CSR
> using your favorite tool and pass that to ipa cert-request.
By arbitrary I meant a CSR/certificate that doesn't correspond to a host
(or user) that is managed by the FreeIPA server. In my situation, I
would like to sign TLS certificates for several of my network switches,
wireless access points, etc., none of which can be enrolled as IPA
hosts.
I see. Well, technically a host/service/whatever doesn't need to be
enrolled to get a cert it just needs a presence within IPA. Basically a
bucket into which to drop the cert for tracking.
So you can do this:
$ ipa host-add
router.example.com
$ openssl ...
$ ipa cert-request
host/router.example.com ...
I realize even this can seem a bit overbearing when you just want a cert
but given that IPA tries to be the central authority on things it made
sense to make it know about all issued certs as well.
That and my fear that if the requirement was relaxed an intruder,
disgruntled admin, whatever who got IPA admin rights could really do
some nasty things (e.g. add a DNS record for
yourbank.com, get a valid,
trusted cert for it, etc).
rob