Red Hat SummitChapter 4. Managing externally signed certificates for IdM users, hosts, and services
Administrators use the Identity Management (IdM) command-line interface (CLI) and IdM Web UI to associate externally signed certificates with internal accounts. This integration allows users, hosts, and services to authenticate using credentials issued by third-party or corporate Certificate Authorities.
4.1. Adding a certificate issued by an external CA to an IdM user, host, or service by using the IdM CLI
The ipa command-line tools enable administrators to attach specific external certificates to IdM entities. Commands such as ipa user-add-cert accept Base64-encoded strings, linking the external credential directly to the specified user, host, or service account.
Prerequisites
- You have obtained the ticket-granting ticket of an administrative user.
Procedure
To add a certificate to an IdM user, enter:
ipa user-add-cert user --certificate=MIQTPrajQAwg...
$ ipa user-add-cert user --certificate=MIQTPrajQAwg...Copy to Clipboard Copied! Toggle word wrap Toggle overflow Specify the following information:
- The name of the user
The Base64-encoded DER certificate
NoteInstead of copying and pasting the certificate contents into the command line, you can convert the certificate to the DER format and then re-encode it to Base64. For example, to add the
user_cert.pemcertificate touser, enter:ipa user-add-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"
$ ipa user-add-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
You can run the
ipa user-add-certcommand interactively by executing it without adding any options.-
To add a certificate to an IdM host, enter:
ipa host-add-cert -
To add a certificate to an IdM service, enter:
ipa service-add-cert
4.2. Adding a certificate issued by an external CA to an IdM user, host, or service by using the IdM Web UI
The IdM Web UI offers a graphical interface for uploading external certificates. Administrators navigate to the target entity’s profile page and paste the PEM or Base64-encoded certificate data directly into the configuration field to associate it.
Prerequisites
- You are logged in to the Identity Management (IdM) Web UI as an administrative user.
Procedure
-
Open the
Identitytab, and select theUsers,Hosts, orServicessubtab. - Click the name of the user, host, or service to open its configuration page.
Click next to the
Certificatesentry.Adding a certificate to a user account
- Paste the certificate in Base64 or PEM encoded format into the text field, and click .
- Click to store the changes.
4.3. Removing a certificate issued by an external CA from an IdM user, host, or service account by using the IdM CLI
As an Identity Management (IdM) administrator, you can remove an externally signed certificate from the account of an IdM user, host, or service by using the Identity Management (IdM) CLI .
Prerequisites
- You have obtained the ticket-granting ticket of an administrative user.
Procedure
To remove a certificate from an IdM user, enter:
ipa user-remove-cert user --certificate=MIQTPrajQAwg...
$ ipa user-remove-cert user --certificate=MIQTPrajQAwg...Copy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, you can run the
ipa user-remove-certcommand interactively by executing it without adding any options.Specify the following information:
- The name of the user
- The Base64-encoded DER certificate
NoteInstead of copying and pasting the certificate contents into the command line, you can convert the certificate to the DER format and then re-encode it to Base64. For example, to remove the
user_cert.pemcertificate fromuser, enter:ipa user-remove-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"
$ ipa user-remove-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"Copy to Clipboard Copied! Toggle word wrap Toggle overflow To remove a certificate from an IdM host, enter:
-
ipa host-remove-cert
-
To remove a certificate from an IdM service, enter:
-
ipa service-remove-cert
-
4.4. Removing a certificate issued by an external CA from an IdM user, host, or service account by using the IdM Web UI
As an Identity Management (IdM) administrator, you can remove an externally signed certificate from the account of an IdM user, host, or service by using the Identity Management (IdM) Web UI.
Prerequisites
- You are logged in to the Identity Management (IdM) Web UI as an administrative user.
Procedure
-
Open the
Identitytab, and select theUsers,Hosts, orServicessubtab. - Click the name of the user, host, or service to open its configuration page.
- Click the next to the certificate to delete, and select .
- Click to store the changes.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}