Red Hat SummitChapter 105. Verifying certificates using IdM Healthcheck
Learn more about understanding and using the Healthcheck tool in Identity management (IdM) to identify issues with IdM certificates maintained by the certmonger utility.
Prerequisites
- The Healthcheck tool is only available in RHEL 8.1 and newer.
105.1. IdM certificates Healthcheck tests
The Healthcheck tool includes several tests for verifying the status of certificates maintained by certmonger in Identity Management (IdM). For details about certmonger, see Obtaining an IdM certificate for a service using certmonger.
This suite of tests checks certificate expiration, validation, trust, and other configuration. Healthcheck can report multiple errors for the same underlying issue.
You can find these certificate tests under the ipahealthcheck.ipa.certs source in the output of the ipa-healthcheck --list-sources command.
- IPACertmongerExpirationCheck
This test checks expirations in
certmonger.If an error is reported, the certificate has expired.
If a warning appears, the certificate expires soon. By default, a warning appears if the test is run 28 days or fewer before certificate expiration.
You can configure the number of days in the
/etc/ipahealthcheck/ipahealthcheck.conffile. After opening the file, change thecert_expiration_daysoption located in thedefaultsection.NoteCertmongerloads and maintains its own view of the certificate expiration. This check does not validate the on-disk certificate.- IPACertfileExpirationCheck
This test checks if the certificate file or NSS database have correct access rights configured. This test also checks expiration. Therefore, carefully read the
msgattribute in the error or warning output. The message specifies the problem.NoteThis test checks the on-disk certificate. If a certificate is missing or unreadable, Healthcheck returns an error.
- IPACertNSSTrust
- This test analyzes the trust for certificates stored in the NSS databases. For the expected tracked certificates in the NSS databases, Healthcheck compares the trust to an expected value and raises an error on a non-match.
- IPANSSChainValidation
-
This test validates the certificate chain of the NSS certificates. The test executes the
certutil -V -u V -e -d [dbdir] -n [nickname]command. - IPAOpenSSLChainValidation
This test validates the certificate chain of the OpenSSL certificates. Specifically, Healthcheck executes the following OpenSSL command:
openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt [cert file]
openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt [cert file]Copy to Clipboard Copied! - IPARAAgent
-
This test compares the certificate on disk with the equivalent record in LDAP in
uid=ipara,ou=People,o=ipaca. - IPACertRevocation
-
This test verifies that certificates that are maintained by
certmongerhave not been revoked. - IPACertmongerCA
This test verifies the
certmongerCertificate Authority (CA) configuration. IdM cannot issue certificates without a CA.Certmongermaintains a set of CA helpers. A CA namedIPAissues certificates for hosts or services through IdM, authenticating as a host or user principal.There are also
dogtag-ipa-ca-renew-agentanddogtag-ipa-ca-renew-agent-reusethat renew the CA subsystem certificates.
105.2. Screening certificates using the Healthcheck tool
Follow this procedure to run a standalone manual test of an Identity Management (IdM) certificate health check using the Healthcheck tool.
Prerequisites
-
You have
rootprivileges.
Procedure
Enter:
ipa-healthcheck --source=ipahealthcheck.ipa.certs --failures-only
# ipa-healthcheck --source=ipahealthcheck.ipa.certs --failures-onlyCopy to Clipboard Copied! The
--source=ipahealthcheck.ipa.certsoption ensures that IdM Healthcheck only performs thecertmongercertificate tests.Successful test displays empty brackets:
[]
[]Copy to Clipboard Copied! Failed test shows you the following output:
{ "source": "ipahealthcheck.ipa.certs", "check": "IPACertfileExpirationCheck", "result": "ERROR", "kw": { "key": 1234, "dbdir": "/path/to/nssdb", "error": [error], "msg": "Unable to open NSS database '/path/to/nssdb': [error]" } }{ "source": "ipahealthcheck.ipa.certs", "check": "IPACertfileExpirationCheck", "result": "ERROR", "kw": { "key": 1234, "dbdir": "/path/to/nssdb", "error": [error], "msg": "Unable to open NSS database '/path/to/nssdb': [error]" } }Copy to Clipboard Copied!
This
IPACertfileExpirationChecktest failed on opening the NSS database.
Run this suite of Healthcheck tests on all IdM servers when trying to check for issues.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}