Red Hat SummitChapter 5. Converting certificate formats to work with IdM
Administrators format certificates correctly to ensure compatibility with IdM commands. Common tasks include loading external certificates into user profiles, configuring smart card authentication, and exporting credentials for browser compatibility.
5.1. Certificate formats and encodings in IdM
IdM authentication verifies user identity by comparing the presented certificate against the stored profile data. While the profile stores only the public certificate, the user must prove possession of the corresponding private key during the authentication process.
- System configuration
- What is stored in the IdM profile is only the certificate, not the corresponding private key. During authentication, the user must also show that he is in possession of the corresponding private key. The user does that by either presenting a PKCS #12 file that contains both the certificate and the private key or by presenting two files: one that contains the certificate and the other containing the private key.
Therefore, processes such as loading a certificate into a user profile only accept certificate files that do not contain the private key.
Similarly, when a system administrator provides you with an external CA certificate, he will provide only the public data: the certificate without the private key. The ipa-advise utility for configuring the IdM server or the IdM client for smart card authentication expects the input file to contain the certificate of the external CA but not the private key.
- Certificate encodings
-
There are two common certificate encodings: Privacy-enhanced Electronic Mail (
PEM) and Distinguished Encoding Rules (DER). Thebase64format is almost identical to thePEMformat but it does not contain the-----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----header and footer.
A certificate that has been encoded using DER is a binary X509 digital certificate file. As a binary file, the certificate is not human-readable. DER files sometimes use the .der filename extension, but files with the .crt and .cer filename extensions also sometimes contain DER certificates. DER files containing keys can be named .key.
A certificate that has been encoded using PEM Base64 is a human-readable file. The file contains ASCII (Base64) armored data prefixed with a "-----BEGIN …" line. PEM files sometimes use the .pem filename extension, but files with the .crt and .cer filename extensions also sometimes contain PEM certificates. PEM files containing keys can be named .key.
Different ipa commands have different limitations regarding the types of certificates that they accept. For example, the ipa user-add-cert command only accepts certificates encoded in the base64 format but ipa-server-certinstall accepts PEM, DER, PKCS #7, PKCS #8 and PKCS #12 certificates.
| Encoding format | Human-readable | Common filename extensions | Sample IdM commands accepting the encoding format |
|---|---|---|---|
| PEM/base64 | Yes | .pem, .crt, .cer | ipa user-add-cert, ipa-server-certinstall, … |
| DER | No | .der, .crt, .cer | ipa-server-certinstall, … |
Certificate-related commands and formats in IdM lists further ipa commands with the certificate formats that the commands accept.
- User authentication
- When using the web UI to access IdM, the user proves that he is in possession of the private key corresponding to the certificate by having both stored in the browser’s database.
When using the CLI to access IdM, the user proves that he is in possession of the private key corresponding to the certificate by one of the following methods:
The user adds, as the value of the
X509_user_identityparameter of thekinit -Xcommand, the path to the smart card module that is connected to the smart card that contains both the certificate and the key:$ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_userThe user adds two files as the values of the
X509_user_identityparameter of thekinit -Xcommand, one containing the certificate and the other the private key:$ kinit -X X509_user_identity='FILE:`/path/to/cert.pem,/path/to/cert.key`' idm_user- Useful certificate commands
To view the certificate data, such as the subject and the issuer:
$ openssl x509 -noout -text -in ca.pemTo compare in which lines two certificates differ:
$ diff cert1.crt cert2.crtTo compare in which lines two certificates differ with the output displayed in two columns:
$ diff cert1.crt cert2.crt -y
5.2. Converting an external certificate in the IdM CLI and loading it into an IdM user account
The IdM CLI requires certificates in a specific stripped PEM format. Administrators use OpenSSL to convert binary DER or PKCS #12 files into PEM strings, removing the header and footer lines before adding them to user entries by using the ipa user-add-cert command.
Procedure
Convert the certificate to the
PEMformat:If your certificate is in the
DERformat:$ openssl x509 -in cert.crt -inform der -outform pem -out cert.pemIf your file is in the
PKCS #12format, whose common filename extensions are.pfxand.p12, and contains a certificate, a private key, and possibly other data, extract the certificate using theopenssl pkcs12utility. When prompted, enter the password protecting the private key stored in the file:$ openssl pkcs12 -in cert_and_key.p12 -clcerts -nokeys -out cert.pemEnter Import Password:
Obtain the administrator’s credentials:
$ kinit adminAdd the certificate to the user account using the
IdM CLIfollowing one of the following methods:Remove the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) of the
PEMfile using thesedutility before adding the string to theipa user-add-certcommand:$ ipa user-add-cert some_user --certificate="$(sed -e '/BEGIN CERTIFICATE/d;/END CERTIFICATE/d' cert.pem)"Copy and paste the contents of the certificate file without the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into the
ipa user-add-certcommand:$ ipa user-add-cert some_user --certificate=MIIDlzCCAn+gAwIBAgIBATANBgkqhki...NoteYou cannot pass a
PEMfile containing the certificate as input to theipa user-add-certcommand directly, without first removing the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----):$ ipa user-add-cert some_user --cert=some_user_cert.pemThis command results in the "ipa: ERROR: Base64 decoding failed: Incorrect padding" error message.
To check if the certificate was accepted by the system:
$ ipa user-show some_user
5.3. Converting an external certificate in the IdM web UI for loading into an IdM user account
The IdM Web UI simplifies certificate management by accepting standard PEM or Base64 formats with or without headers. Administrators convert source files by using OpenSSL and paste the resulting text directly into the user profile interface.
Procedure
Using the
CLI, convert the certificate to thePEMformat:-
If your certificate is in the
DERformat:
$ openssl x509 -in cert.crt -inform der -outform pem -out cert.pemIf your file is in the
PKCS #12format, whose common filename extensions are.pfxand.p12, and contains a certificate, a private key, and possibly other data, extract the certificate using theopenssl pkcs12utility. When prompted, enter the password protecting the private key stored in the file:$ openssl pkcs12 -in cert_and_key.p12 -clcerts -nokeys -out cert.pemEnter Import Password:
-
If your certificate is in the
-
Open the certificate in an editor and copy the contents. You can include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" header and footer lines but you do not have to, as both the
PEMandbase64formats are accepted by the IdM web UI. - In the IdM web UI, log in as security officer.
-
Go to Identity
Users <user_name>. - Click Add next to Certificates.
- Paste the PEM-formatted contents of the certificate into the window that opens.
Click Add.
If the certificate was accepted by the system, you can see it listed among the Certificates in the user profile.
5.4. Preparing to load a certificate into the browser
Before importing a user certificate into the browser, make sure that the certificate and the corresponding private key are in a PKCS #12 format. There are two common situations requiring extra preparatory work:
- The certificate is located in an NSS database. For details how to proceed in this situation, see Exporting a certificate and private key from an NSS database into a PKCS #12 file.
-
The certificate and the private key are in two separate
PEMfiles. For details how to proceed in this situation, see Combining certificate and private key PEM files into a PKCS #12 file.
Afterwards, to import both the CA certificate in the PEM format and the user certificate in the PKCS #12 format into the browser, follow the procedures in Configuring a browser to enable certificate authentication and Authenticating to the Identity Management Web UI with a Certificate as an Identity Management User.
5.4.1. Exporting a certificate and private key from an NSS database into a PKCS #12 file
The pk12util tool exports cryptographic pairs from the NSS database into a portable format. This command extracts the specified certificate and its private key into a password-protected .p12 file suitable for browser import.
Procedure
Use the
pk12utilcommand to export the certificate from the NSS database to thePKCS12format. For example, to export the certificate with thesome_usernickname from the NSS database stored in the~/certdbdirectory into the~/some_user.p12file:$ pk12util -d ~/certdb -o ~/some_user.p12 -n some_userEnter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFULSet appropriate permissions for the
.p12file:# chmod 600 ~/some_user.p12Because the
PKCS #12file also contains the private key, it must be protected to prevent other users from using the file. Otherwise, they would be able to impersonate the user.
5.4.2. Combining certificate and private key PEM files into a PKCS #12 file
You can combine a certificate and the corresponding key stored in separate PEM files into a PKCS #12 file by using the openssl command.
Procedure
To combine a certificate stored in
certfile.cerand a key stored incertfile.keyinto acertfile.p12file that contains both the certificate and the key:$ openssl pkcs12 -export -in certfile.cer -inkey certfile.key -out certfile.p12
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}