Red Hat SummitChapter 2. Managing certificates for users, hosts, and services using the integrated IdM CA
This chapter covers managing certificates in Identity Management (IdM) using the integrated CA, the ipa CA, and its sub-CAs.
2.1. Requesting new certificates for a user, host, or service using IdM Web UI
Follow this procedure to use the Identity Management (IdM) Web UI to request a new certificate for any IdM entity from the integrated IdM certificate authorities (CAs): the ipa CA or any of its sub-CAs.
IdM entities include:
- Users
- Hosts
- Services
Services typically run on dedicated service nodes on which the private keys are stored. Copying a service’s private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the certificate signing request (CSR) on the service node.
Prerequisites
- Your IdM deployment contains an integrated CA.
- You are logged into the IdM Web UI as the IdM administrator.
Procedure
-
Under the
Identitytab, select theUsers,Hosts, orServicessubtab. Click the name of the user, host, or service to open its configuration page.
Figure 2.1. List of Hosts
-
Click
. - Optional: Select the issuing CA and profile ID.
-
Follow the instructions for using the
certutilcommand-line (CLI) utility on the screen. - Click .
2.2. Requesting new certificates for a user, host, or service from IdM CA using certutil
You can use the certutil utility to request a certificate for an Identity Management (IdM) user, host or service in standard IdM situations. To ensure that a host or service Kerberos alias can use a certificate, use the openssl utility to request a certificate instead.
Follow this procedure to request a certificate for an IdM user, host, or service from ipa, the IdM certificate authority (CA), using certutil.
Services typically run on dedicated service nodes on which the private keys are stored. Copying a service’s private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the certificate signing request (CSR) on the service node.
Prerequisites
- Your IdM deployment contains an integrated CA.
- You are logged into the IdM command-line interface (CLI) as the IdM administrator.
Procedure
Create a temporary directory for the certificate database:
# mkdir ~/certdb/
Create a new temporary certificate database, for example:
# certutil -N -d ~/certdb/Create the CSR and redirect the output to a file. For example, to create a CSR for a 4096 bit certificate and to set the subject to CN=server.example.com,O=EXAMPLE.COM:
# certutil -R -d ~/certdb/ -a -g 4096 -s "CN=server.example.com,O=EXAMPLE.COM" -8 server.example.com > certificate_request.csr
Submit the certificate request file to the CA running on the IdM server. Specify the Kerberos principal to associate with the newly-issued certificate:
# ipa cert-request certificate_request.csr --principal=host/server.example.com
The
ipa cert-requestcommand in IdM uses the following defaults:The
caIPAserviceCertcertificate profileTo select a custom profile, use the
--profile-idoption.The integrated IdM root CA,
ipaTo select a sub-CA, use the
--caoption.
Additional resources
-
See the output of the
ipa cert-request --helpcommand. - See Creating and managing certificate profiles in Identity Management.
2.3. Requesting new certificates for a user, host, or service from IdM CA using openssl
You can use the openssl utility to request a certificate for an Identity Management (IdM) host or service if you want to ensure that the Kerberos alias of the host or service can use the certificate. In standard situations, consider requesting a new certificate using the certutil utility instead.
Follow this procedure to request a certificate for an IdM host, or service from ipa, the IdM certificate authority, using openssl.
Services typically run on dedicated service nodes on which the private keys are stored. Copying a service’s private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the certificate signing request (CSR) on the service node.
Prerequisites
- Your IdM deployment contains an integrated CA.
- You are logged into the IdM command-line interface (CLI) as the IdM administrator.
Procedure
- Create one or more aliases for your Kerberos principal test/server.example.com. For example, test1/server.example.com and test2/server.example.com.
In the CSR, add a subjectAltName for dnsName (server.example.com) and otherName (test2/server.example.com). To do this, configure the
openssl.conffile to include the following line specifying the UPN otherName and subjectAltName:otherName=1.3.6.1.4.1.311.20.2.3;UTF8:test2/server.example.com@EXAMPLE.COM DNS.1 = server.example.com
Create a certificate request using
openssl:openssl req -new -newkey rsa:2048 -keyout test2service.key -sha256 -nodes -out certificate_request.csr -config openssl.conf
Submit the certificate request file to the CA running on the IdM server. Specify the Kerberos principal to associate with the newly-issued certificate:
# ipa cert-request certificate_request.csr --principal=host/server.example.com
The
ipa cert-requestcommand in IdM uses the following defaults:The
caIPAserviceCertcertificate profileTo select a custom profile, use the
--profile-idoption.The integrated IdM root CA,
ipaTo select a sub-CA, use the
--caoption.
Additional resources
-
See the output of the
ipa cert-request --helpcommand. - See Creating and managing certificate profiles in Identity Management.
