24.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs
Issuing Certificates to Users from the Command Line
- Create or import a new custom certificate profile for handling requests for user certificates. For example:
$ ipa certprofile-import certificate_profile --file=certificate_profile.cfg --store=True
- Add a new Certificate Authority (CA) ACL that will be used to permit requesting certificates for user entries. For example:
$ ipa caacl-add users_certificate_profile --usercat=all
- Add the custom certificate profile to the CA ACL.
$ ipa caacl-add-profile users_certificate_profile --certprofiles=certificate_profile
- Generate a certificate request for the user. For example, using OpenSSL:
$ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.csr -subj '/CN=user'
- Run the ipa cert-request command to have the IdM CA issue a new certificate for the user.
$ ipa cert-request cert.csr --principal=user --profile-id=certificate_profile
Optionally pass the--ca sub-CA_name
option to the command to request the certificate from a sub-CA instead of the root CAipa
.
$ ipa user-show user
User login: user
...
Certificate: MIICfzCCAWcCAQA...
...
Issuing Certificates to Users in the Web UI
- Create or import a new custom certificate profile for handling requests for user certificates. Importing profiles is only possible from the command line, for example:
$ ipa certprofile-import certificate_profile --file=certificate_profile.txt --store=True
For information about certificate profiles, see Section 24.4, “Certificate Profiles”. - In the web UI, under the Authentication tab, open the CA ACLs section.
Figure 24.11. CA ACL Rules Management in the Web UI
Clickat the top of the list of Certificate Authority (CA) ACLs to add a new CA ACL that permits requesting certificates for user entries.- In the Add CA ACL window that opens, fill in the required information about the new CA ACL.
Figure 24.12. Adding a New CA ACL
Then, clickto go directly to the CA ACL configuration page. - In the CA ACL configuration page, scroll to the Profiles section and click at the top of the profiles list.
Figure 24.13. Adding a Certificate Profile to the CA ACL
- Add the custom certificate profile to the CA ACL by selecting the profile and moving it to the Prospective column.
Figure 24.14. Selecting a Certificate Profile
Then, click. - Scroll to the Permitted to have certificates issued section to associate the CA ACL with users or user groups.You can either add users or groups using the Anyone option to associate the CA ACL with all users.buttons, or select the
Figure 24.15. Adding Users to the CA ACL
- In the Permitted to have certificates issued section, you can associate the CA ACL with one or more CAs.You can either add CAs using the Any CA option to associate the CA ACL with all CAs.button, or select the
Figure 24.16. Adding CAs to the CA ACL
- At the top of the CA ACL configuration page, clickto confirm the changes to the CA ACL.
- Request a new certificate for the user.
- Under the Identity tab and the Users subtab, choose the user for whom the certificate will be requested. Click on the user's user name to open the user entry configuration page.
- Click New Certificate.at the top of the user configuration page, and then click
Figure 24.17. Requesting a Certificate for a User
- Fill in the required information.
Figure 24.18. Issuing a Certificate for a User
Then, click.