Red Hat SummitChapter 4. Managing externally signed certificates for IdM users, hosts, and services
This chapter describes how to use the Identity Management (IdM) command-line interface (CLI) and the IdM Web UI to add or remove user, host, or service certificates that were issued by an external certificate authority (CA).
4.1. Adding a certificate issued by an external CA to an IdM user, host, or service by using the IdM CLI
As an Identity Management (IdM) administrator, you can add an externally signed certificate to the account of an IdM user, host, or service by using the Identity Management (IdM) CLI.
Prerequisites
- You have obtained the ticket-granting ticket of an administrative user.
Procedure
To add a certificate to an IdM user, enter:
ipa user-add-cert user --certificate=MIQTPrajQAwg...
$ ipa user-add-cert user --certificate=MIQTPrajQAwg...Copy to Clipboard Copied! Toggle word wrap Toggle overflow Specify the following information:
- The name of the user
The Base64-encoded DER certificate
NoteInstead of copying and pasting the certificate contents into the command line, you can convert the certificate to the DER format and then re-encode it to Base64. For example, to add the
user_cert.pemcertificate touser, enter:ipa user-add-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"
$ ipa user-add-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
You can run the
ipa user-add-certcommand interactively by executing it without adding any options.-
To add a certificate to an IdM host, enter:
ipa host-add-cert -
To add a certificate to an IdM service, enter:
ipa service-add-cert
Additional resources
4.2. Adding a certificate issued by an external CA to an IdM user, host, or service by using the IdM Web UI
As an Identity Management (IdM) administrator, you can add an externally signed certificate to the account of an IdM user, host, or service by using the Identity Management (IdM) Web UI.
Prerequisites
- You are logged in to the Identity Management (IdM) Web UI as an administrative user.
Procedure
-
Open the
Identitytab, and select theUsers,Hosts, orServicessubtab. - Click the name of the user, host, or service to open its configuration page.
Click next to the
Certificatesentry.Adding a certificate to a user account
- Paste the certificate in Base64 or PEM encoded format into the text field, and click .
- Click to store the changes.
4.3. Removing a certificate issued by an external CA from an IdM user, host, or service account by using the IdM CLI
As an Identity Management (IdM) administrator, you can remove an externally signed certificate from the account of an IdM user, host, or service by using the Identity Management (IdM) CLI .
Prerequisites
- You have obtained the ticket-granting ticket of an administrative user.
Procedure
To remove a certificate from an IdM user, enter:
ipa user-remove-cert user --certificate=MIQTPrajQAwg...
$ ipa user-remove-cert user --certificate=MIQTPrajQAwg...Copy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, you can run the
ipa user-remove-certcommand interactively by executing it without adding any options.Specify the following information:
- The name of the user
- The Base64-encoded DER certificate
NoteInstead of copying and pasting the certificate contents into the command line, you can convert the certificate to the DER format and then re-encode it to Base64. For example, to remove the
user_cert.pemcertificate fromuser, enter:+
ipa user-remove-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"
$ ipa user-remove-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"Copy to Clipboard Copied! Toggle word wrap Toggle overflow To remove a certificate from an IdM host, enter:
-
ipa host-remove-cert
-
To remove a certificate from an IdM service, enter:
-
ipa service-remove-cert
-
Additional resources
4.4. Removing a certificate issued by an external CA from an IdM user, host, or service account by using the IdM Web UI
As an Identity Management (IdM) administrator, you can remove an externally signed certificate from the account of an IdM user, host, or service by using the Identity Management (IdM) Web UI.
Prerequisites
- You are logged in to the Identity Management (IdM) Web UI as an administrative user.
Procedure
-
Open the
Identitytab, and select theUsers,Hosts, orServicessubtab. - Click the name of the user, host, or service to open its configuration page.
- Click the next to the certificate to delete, and select .
- Click to store the changes.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}