24.5. Certificate Authority ACL Rules
Certificate Authority access control list (CA ACL) rules define which profiles can be used to issue certificates to which users, services, or hosts. By associating profiles, principals, and groups, CA ACLs permit principals or groups to request certificates using particular profiles:
- an ACL can permit access to multiple profiles
- an ACL can have multiple users, services, hosts, user groups, and host groups associated with it
For example, using CA ACLs, the administrator can restrict use of a profile intended for employees working from an office located in London only to users that are members of the London office-related group.
Note
By combining certificate profiles, described in Section 24.4, “Certificate Profiles”, and CA ACLs, the administrator can define and control access to custom certificate profiles. For a description of using profiles and CA ACLs to issue user certificates, see Section 24.6, “Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs”.
24.5.1. CA ACL Management from the Command Line Copy linkLink copied to clipboard!
Copy linkLink copied to clipboard!
The
caacl
plug-in for management of CA ACL rules allows privileged users to add, display, modify, or delete a specified CA ACL. To display all commands supported by the plug-in, run the ipa caacl command:
Note that to perform the
caacl
operations, you must be operating as a user who has the required permissions. IdM includes the following CA ACL-related permissions by default:
- System: Read CA ACLs
- Enables the user to read all attributes of the CA ACL.
- System: Add CA ACL
- Enables the user to add a new CA ACL.
- System: Delete CA ACL
- Enables the user to delete an existing CA ACL.
- System: Modify CA ACL
- Enables the user to modify an attribute of the CA ACL and to disable or enable the CA ACL.
- System: Manage CA ACL membership
- Enables the user to manage the CA, profile, user, host, and service membership in the CA ACL.
All these permissions are included in the default
CA Administrator
privilege. For more information on IdM role-based access controls and managing permissions, see Section 10.4, “Defining Role-Based Access Controls”.
This section describes only the most important aspects of using the ipa caacl commands for CA ACL management. For complete information about a command, run it with the
--help
option added, for example:
Creating CA ACLs
To create a new CA ACL, use the ipa caacl-add command. Running the command without any options starts an interactive session in which the
ipa caacl-add
script prompts your for the required information about the new CA ACL.
New CA ACLs are enabled by default.
The most notable options accepted by ipa caacl-add are the options that associate a CA ACL with a CA, certificate profile, user, host, or service category:
--cacat
--profilecat
--usercat
--hostcat
--servicecat
IdM only accepts the
all
value with these options, which associates the CA ACL with all CAs, profiles, users, hosts, or services. For example, to associate the CA ACL with all users and user groups:
ipa caacl-add ca_acl_name --usercat=all
$ ipa caacl-add ca_acl_name --usercat=all
CA, profile, user, host, and service categories are an alternative to adding particular objects or groups of objects to a CA ACL, which is described in the section called “Adding Entries to CA ACLs and Removing Entries from CA ACLs”. Note that it is not possible to use a category and also add objects or groups of the same type; for example, you cannot use the
--usercat=all
option and then add a user to the CA ACL with the ipa caacl-add-user --users=user_name command.
Note
Requesting a certificate for a user or group using a certificate profile fails if the user or group are not added to the corresponding CA ACL. For example:
ipa cert-request CSR-FILE --principal user --profile-id profile_id
$ ipa cert-request CSR-FILE --principal user --profile-id profile_id
ipa: ERROR Insufficient access: Principal 'user' is not permitted to use CA '.' with profile 'profile_id' for certificate issuance.
You must either add the user or group to the CA ACL, as described in the section called “Adding Entries to CA ACLs and Removing Entries from CA ACLs”, or associate the CA ACL with the
all
user category.
Displaying CA ACLs
To display all CA ACLs, use the ipa caacl-find command:
Note that ipa caacl-find accepts the
--cacat
, --profilecat
, --usercat
, --hostcat
, and --servicecat
options, which can be used to filter the results of the search to CA ACLs with the corresponding CA, certificate profile, user, host, or service category. Note that IdM only accepts the all
category with these options. For more information about the options, see the section called “Creating CA ACLs”.
To display information about a particular CA ACL, use the ipa caacl-show command:
Modifying CA ACLs
To modify an existing CA ACL, use the ipa caacl-mod command. Pass the required modifications using the command-line options accepted by ipa caacl-mod. For example, to modify the description of a CA ACL and associate the CA ACL with all certificate profiles:
The most notable options accepted by ipa caacl-mod are the
--cacat
, --profilecat
, --usercat
, --hostcat
, and --servicecat
options. For a description of these options, see the section called “Creating CA ACLs”.
Disabling and Enabling CA ACLs
To disable a CA ACL, use the ipa caacl-disable command:
ipa caacl-disable ca_acl_name
$ ipa caacl-disable ca_acl_name
---------------------------
Disabled CA ACL "ca_acl_name"
---------------------------
A disabled CA ACL is not applied and cannot be used to request a certificate. Disabling a CA ACL does not remove it from IdM.
To enable a disabled CA ACL, use the ipa caacl-enable command:
ipa caacl-enable ca_acl_name
$ ipa caacl-enable ca_acl_name
---------------------------
Enabled CA ACL "ca_acl_name"
---------------------------
Deleting CA ACLs
To remove an existing CA ACL, use the ipa caacl-del command:
ipa caacl-del ca_acl_name
$ ipa caacl-del ca_acl_name
Adding Entries to CA ACLs and Removing Entries from CA ACLs
Using the ipa caacl-add-* and ipa caacl-remove-* commands, you can add new entries to a CA ACL or remove existing entries.
- ipa caacl-add-ca and ipa caacl-remove-ca
- Adds or removes a CA.
- ipa caacl-add-host and ipa caacl-remove-host
- Adds or removes a host or host group.
- ipa caacl-add-profile and ipa caacl-remove-profile
- Adds or removes a profile.
- ipa caacl-add-service and ipa caacl-remove-service
- Adds or removes a service.
- ipa caacl-add-user and ipa caacl-remove-user
- Adds or removes a user or group.
For example:
ipa caacl-add-user ca_acl_name --groups=group_name
$ ipa caacl-add-user ca_acl_name --groups=group_name
Note that it is not possible to add an object or a group of objects to a CA ACL and also use a category of the same object, as described in the section called “Creating CA ACLs”; these settings are mutually exclusive. For example, if you attempt to run the ipa caacl-add-user --users=user_name command on a CA ACL specified with the
--usercat=all
option, the command fails:
ipa caacl-add-user ca_acl_name --users=user_name
$ ipa caacl-add-user ca_acl_name --users=user_name
ipa: ERROR: users cannot be added when user category='all'
Note
Requesting a certificate for a user or group using a certificate profile fails if the user or group are not added to the corresponding CA ACL. For example:
ipa cert-request CSR-FILE --principal user --profile-id profile_id
$ ipa cert-request CSR-FILE --principal user --profile-id profile_id
ipa: ERROR Insufficient access: Principal 'user' is not permitted to use CA '.' with profile 'profile_id' for certificate issuance.
You must either add the user or group to the CA ACL, or associate the CA ACL with the
all
user category, as described in the section called “Creating CA ACLs”.
For detailed information on the required syntax for these commands and the available options, run the commands with the
--help
option added. For example:
ipa caacl-add-user --help
$ ipa caacl-add-user --help
24.5.2. CA ACL Management from the Web UI Copy linkLink copied to clipboard!
Copy linkLink copied to clipboard!
To manage CA ACLs from the IdM web UI:
- Open the Authentication tab and the Certificates subtab.
- Open the CA ACLs section.
Figure 24.9. CA ACL Rules Management in the Web UI
In the CA ACLs section, you can add new CA ACLs, display information about existing CA ACLs, modify their attributes, as well as enable, disable, or delete selected CA ACLs.
For example, to modify an existing CA ACL:
- Click on the name of the CA ACL to open the CA ACL configuration page.
- In the CA ACL configuration page, fill in the required information.The Profiles and Permitted to have certificates issued sections allow you to associate the CA ACL with certificate profiles, users or user groups, hosts or host groups, or services. You can either add these objects using the buttons, or select the Anyone option to associate the CA ACL with all users, hosts, or services.
- Clickto confirm the new configuration.
Figure 24.10. Modifying a CA ACL Rule in the Web UI