Hi,
I'm looking to use FreeIPA's PKI for OpenVPN... any pointers on the right way to generate per-user certificates? (Looking to generate certs for Android and Chrome OS, so I don't have an easy way to build a CSR on those devices directly that I can find; I assume I want to just generate the cert & key on the IPA server, copy it securely, then nuke the private key, and place the public key somewhere for OpenVPN to find?
On Mon, Jan 29, 2018 at 01:34:37PM +0000, Mike Kelly via FreeIPA-users wrote:
Hi,
I'm looking to use FreeIPA's PKI for OpenVPN... any pointers on the right way to generate per-user certificates? (Looking to generate certs for Android and Chrome OS, so I don't have an easy way to build a CSR on those devices directly that I can find; I assume I want to just generate the cert & key on the IPA server, copy it securely, then nuke the private key, and place the public key somewhere for OpenVPN to find?
Ideally you should generate the keys and create a CSR on the device. Then use IPA to issue certificates for the user. But I do not know enough about Android or Chrome OS to know the best way to do this.
Alternatively you can generate the keys and request the certificates from a central server, and distribute the keys to users as (presumably) PKCS #12 files or something similar.
As for the public key, actually you should not need to tell OpenVPN about the public keys at all. Rather you should configure OpenVPN to trust the CA that signed the client certificates. Again, I do not know the specifics but man pages should explain it.
HTH, Fraser
--
Mike Kelly
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 01/29/2018 05:32 PM, Fraser Tweedale via FreeIPA-users wrote:
Ideally you should generate the keys and create a CSR on the device. Then use IPA to issue certificates for the user.
Jumping in to this thread ... I know how to generate a keypair and CSR, but I've never been able to figure out how to get FreeIPA to generate a certificate from a CSR.
If there's documentation somewhere that I've missed in my many searches, I'd appreciate a pointer.
Ian Pilcher via FreeIPA-users wrote:
On 01/29/2018 05:32 PM, Fraser Tweedale via FreeIPA-users wrote:
Ideally you should generate the keys and create a CSR on the device. Then use IPA to issue certificates for the user.
Jumping in to this thread ... I know how to generate a keypair and CSR, but I've never been able to figure out how to get FreeIPA to generate a certificate from a CSR.
If there's documentation somewhere that I've missed in my many searches, I'd appreciate a pointer.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
rob
On 01/30/2018 09:53 AM, Rob Crittenden wrote:
Ian Pilcher via FreeIPA-users wrote:
Jumping in to this thread ... I know how to generate a keypair and CSR, but I've never been able to figure out how to get FreeIPA to generate a certificate from a CSR.
If there's documentation somewhere that I've missed in my many searches, I'd appreciate a pointer.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Thanks!
(Unfortunately, I had misinterpreted the earlier comments in this thread to indicate that it was now possible to simply issue a certificate, based on an arbitrary CSR. It seems that still isn't the case.)
Ian Pilcher via FreeIPA-users wrote:
On 01/30/2018 09:53 AM, Rob Crittenden wrote:
Ian Pilcher via FreeIPA-users wrote:
Jumping in to this thread ... I know how to generate a keypair and CSR, but I've never been able to figure out how to get FreeIPA to generate a certificate from a CSR.
If there's documentation somewhere that I've missed in my many searches, I'd appreciate a pointer.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Thanks!
(Unfortunately, I had misinterpreted the earlier comments in this thread to indicate that it was now possible to simply issue a certificate, based on an arbitrary CSR. It seems that still isn't the case.)
Not sure what you mean by arbitrary. You can definitely generate a CSR using your favorite tool and pass that to ipa cert-request.
rob
On 01/30/2018 02:27 PM, Rob Crittenden wrote:
Not sure what you mean by arbitrary. You can definitely generate a CSR using your favorite tool and pass that to ipa cert-request.
By arbitrary I meant a CSR/certificate that doesn't correspond to a host (or user) that is managed by the FreeIPA server. In my situation, I would like to sign TLS certificates for several of my network switches, wireless access points, etc., none of which can be enrolled as IPA hosts.
Ian Pilcher wrote:
On 01/30/2018 02:27 PM, Rob Crittenden wrote:
Not sure what you mean by arbitrary. You can definitely generate a CSR using your favorite tool and pass that to ipa cert-request.
By arbitrary I meant a CSR/certificate that doesn't correspond to a host (or user) that is managed by the FreeIPA server. In my situation, I would like to sign TLS certificates for several of my network switches, wireless access points, etc., none of which can be enrolled as IPA hosts.
I see. Well, technically a host/service/whatever doesn't need to be enrolled to get a cert it just needs a presence within IPA. Basically a bucket into which to drop the cert for tracking.
So you can do this:
$ ipa host-add router.example.com $ openssl ... $ ipa cert-request host/router.example.com ...
I realize even this can seem a bit overbearing when you just want a cert but given that IPA tries to be the central authority on things it made sense to make it know about all issued certs as well.
That and my fear that if the requirement was relaxed an intruder, disgruntled admin, whatever who got IPA admin rights could really do some nasty things (e.g. add a DNS record for yourbank.com, get a valid, trusted cert for it, etc).
rob
Hi Mike,
Did you have any joy with this? I've been using my IPA PKI for our 802.1x infrastructure - which is working nicely for the enrolled Linux hosts. I've been considering adding some Chrome OS into the mix, but before shelling out for some devices I've been trying to navigate both the manual and extension based install methods.
It looks like some additional Network management options including some certificate bits have been added into the Google admin console which I thought might yield a method for doing per-device certificates, and I've also been trying to make sense of if the extension based bits in https://support.google.com/chrome/a/answer/6080885?hl=en could be made to play nicely with Dogtag. https://support.google.com/chrome/a/answer/6321820?hl=en Looks like a no-go due to wanting an AD infrastructure!
Anyway, would be interested to hear how you're getting along,
David
On 30 January 2018 at 20:49, Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Ian Pilcher wrote:
On 01/30/2018 02:27 PM, Rob Crittenden wrote:
Not sure what you mean by arbitrary. You can definitely generate a CSR using your favorite tool and pass that to ipa cert-request.
By arbitrary I meant a CSR/certificate that doesn't correspond to a host (or user) that is managed by the FreeIPA server. In my situation, I would like to sign TLS certificates for several of my network switches, wireless access points, etc., none of which can be enrolled as IPA hosts.
I see. Well, technically a host/service/whatever doesn't need to be enrolled to get a cert it just needs a presence within IPA. Basically a bucket into which to drop the cert for tracking.
So you can do this:
$ ipa host-add router.example.com $ openssl ... $ ipa cert-request host/router.example.com ...
I realize even this can seem a bit overbearing when you just want a cert but given that IPA tries to be the central authority on things it made sense to make it know about all issued certs as well.
That and my fear that if the requirement was relaxed an intruder, disgruntled admin, whatever who got IPA admin rights could really do some nasty things (e.g. add a DNS record for yourbank.com, get a valid, trusted cert for it, etc).
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org