Red Hat Summit24.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs
Users can request certificates for themselves when permitted by the Certificate Authority access control lists (CA ACLs). The following procedures use certificate profiles and CA ACLs, which are described separately in Section 24.4, “Certificate Profiles” and Section 24.5, “Certificate Authority ACL Rules”. For more details about using certificate profiles and CA ACLs, see these sections.
Issuing Certificates to Users from the Command Line
- Create or import a new custom certificate profile for handling requests for user certificates. For example:
ipa certprofile-import certificate_profile --file=certificate_profile.cfg --store=True
$ ipa certprofile-import certificate_profile --file=certificate_profile.cfg --store=TrueCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add a new Certificate Authority (CA) ACL that will be used to permit requesting certificates for user entries. For example:
ipa caacl-add users_certificate_profile --usercat=all
$ ipa caacl-add users_certificate_profile --usercat=allCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the custom certificate profile to the CA ACL.
ipa caacl-add-profile users_certificate_profile --certprofiles=certificate_profile
$ ipa caacl-add-profile users_certificate_profile --certprofiles=certificate_profileCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Generate a certificate request for the user. For example, using OpenSSL:
openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.csr -subj '/CN=user'
$ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.csr -subj '/CN=user'Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the ipa cert-request command to have the IdM CA issue a new certificate for the user.
ipa cert-request cert.csr --principal=user --profile-id=certificate_profile
$ ipa cert-request cert.csr --principal=user --profile-id=certificate_profileCopy to Clipboard Copied! Toggle word wrap Toggle overflow Optionally pass the--ca sub-CA_nameoption to the command to request the certificate from a sub-CA instead of the root CAipa.
To make sure the newly-issued certificate is assigned to the user, you can use the ipa user-show command:
Issuing Certificates to Users in the Web UI
- Create or import a new custom certificate profile for handling requests for user certificates. Importing profiles is only possible from the command line, for example:
ipa certprofile-import certificate_profile --file=certificate_profile.txt --store=True
$ ipa certprofile-import certificate_profile --file=certificate_profile.txt --store=TrueCopy to Clipboard Copied! Toggle word wrap Toggle overflow For information about certificate profiles, see Section 24.4, “Certificate Profiles”. - In the web UI, under the Authentication tab, open the CA ACLs section.
Figure 24.11. CA ACL Rules Management in the Web UI
Click at the top of the list of Certificate Authority (CA) ACLs to add a new CA ACL that permits requesting certificates for user entries.- In the Add CA ACL window that opens, fill in the required information about the new CA ACL.
Figure 24.12. Adding a New CA ACL
Then, click to go directly to the CA ACL configuration page. - In the CA ACL configuration page, scroll to the Profiles section and click at the top of the profiles list.
Figure 24.13. Adding a Certificate Profile to the CA ACL
- Add the custom certificate profile to the CA ACL by selecting the profile and moving it to the Prospective column.
Figure 24.14. Selecting a Certificate Profile
Then, click . - Scroll to the Permitted to have certificates issued section to associate the CA ACL with users or user groups.You can either add users or groups using the buttons, or select the Anyone option to associate the CA ACL with all users.
Figure 24.15. Adding Users to the CA ACL
- In the Permitted to have certificates issued section, you can associate the CA ACL with one or more CAs.You can either add CAs using the button, or select the Any CA option to associate the CA ACL with all CAs.
Figure 24.16. Adding CAs to the CA ACL
- At the top of the CA ACL configuration page, click to confirm the changes to the CA ACL.
- Request a new certificate for the user.
- Under the Identity tab and the Users subtab, choose the user for whom the certificate will be requested. Click on the user's user name to open the user entry configuration page.
- Click at the top of the user configuration page, and then click New Certificate.
Figure 24.17. Requesting a Certificate for a User
- Fill in the required information.
Figure 24.18. Issuing a Certificate for a User
Then, click .
After this, the newly issued certificate is visible in the user configuration page.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}