Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 24. Managing Certificates for Users, Hosts, and Services

Identity Management (IdM) supports two types of certificate authorities (CAs):
Integrated IdM CA
Integrated CAs can create, revoke, and issue certificates for users, hosts, and services. For more details, see Section 24.1, “Managing Certificates with the Integrated IdM CAs”.
IdM supports creating lightweight sub-CAs. For more details, see Section 26.1, “Lightweight Sub-CAs”
External CA
An external CA is a CA other than the integrated IdM CA.
Using IdM tools, you add certificates issued by these CAs to users, services, or hosts as well as remove them. For more details, see Section 24.2, “Managing Certificates Issued by External CAs”.
Each user, host, or service can have multiple certificates assigned.
Note
For more details on the supported CA configurations of the IdM server, see Section 2.3.2, “Determining What CA Configuration to Use”.

24.1. Managing Certificates with the Integrated IdM CAs
Copia collegamento

24.1.1. Requesting New Certificates for a User, Host, or Service
Copia collegamento

To request a certificate using:
Note that you must generate the certificate request itself with a third-party tool. The following procedures use the certutil and openSSL utilities.
Important
Services typically run on dedicated service nodes on which the private keys are stored. Copying a service's private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the CSR on the service node.

Web UI: Requesting New Certificates

  1. Under the Identity tab, select the Users, Hosts, or Services subtab.
  2. Click the name of the user, host, or service to open its configuration page.

    Figure 24.1. List of Hosts

    List of Hosts
    View larger image
    List of Hosts
  3. Click Actions New Certificate.
  4. Optional: Select the issuing CA and profile ID.
  5. Follow the instructions on the screen for using certutil.
  6. Click Issue.

Command Line: Requesting New Certificates

Request a new certificate using certutil in standard situations - see Section 24.1.1.1, “Requesting New Certificates Using certutil”. Request a new certificate using openSSL to enable a Kerberos alias to use a host or service certificate - see Section 24.1.1.2, “Preparing a Certificate Request With Multiple SAN Fields Using OpenSSL”.

24.1.1.1. Requesting New Certificates Using certutil
Copia collegamento

  1. Create a temporary directory for the certificate database: 
    # mkdir ~/certdb/
    Copy to Clipboard Toggle word wrap
  2. Create a new temporary certificate database, for instance: 
    # certutil -N -d ~/certdb/
    Copy to Clipboard Toggle word wrap
  3. Create the certificate signing request (CSR) and redirect the output to a file. For example, to create a CSR for a 4096 bit certificate and to set the subject to CN=server.example.com,O=EXAMPLE.COM: 
    # certutil -R -d ~/certdb/ -a -g 4096 -s "CN=server.example.com,O=EXAMPLE.COM" -8 server.example.com > certificate_request.csr
    Copy to Clipboard Toggle word wrap
  4. Submit the certificate request to the CA. For details, see Section 24.1.1.4, “Submitting a Certificate Request to the IdM CA”.
  1. Create one or more aliases, for example test1/server.example.com, test2/server.example.com, for your Kerberos principal test/server.example.com. See Section 20.2.1, “Kerberos Principal Alias” for more details.
  2. In the CSR, add a subjectAltName for dnsName (server.example.com) and otherName (test2/server.example.com). To do this, configure the openssl.conf file so that it includes the following line specifying the UPN otherName and subjectAltName: 
    otherName=1.3.6.1.4.1.311.20.2.3;UTF8:test2/server.example.com@EXAMPLE.COM
DNS.1 = server.example.com
    Copy to Clipboard Toggle word wrap
  3. Create a certificate request using openssl: 
    openssl req -new -newkey rsa:2048 -keyout test2service.key -sha256 -nodes -out certificate_request.csr -config openssl.conf
    Copy to Clipboard Toggle word wrap
  4. Submit the certificate request to the CA. For details, see Section 24.1.1.4, “Submitting a Certificate Request to the IdM CA”.

24.1.1.3. Requesting New Certificates Using Certmonger
Copia collegamento

You can use the certmonger service to request a certificate from an IdM CA. For details, see the Requesting a CA-signed Certificate Through SCEP section in the System-level Authentication Guide.

24.1.1.4. Submitting a Certificate Request to the IdM CA
Copia collegamento

Submit the certificate request file to the CA running on the IdM server. Be sure to specify the Kerberos principal to associate with the newly-issued certificate: 
# ipa cert-request certificate_request.csr --principal=host/server.example.com
Copy to Clipboard Toggle word wrap
The ipa cert-request command in IdM uses the following defaults:
  • Certificate profile: caIPAserviceCert
    To select a custom profile, use the --profile-id option with the ipa cert-request command.
    For further details about creating a custom certificate profile, see Section 24.4.1, “Creating a Certificate Profile”.
  • Integrated CA: ipa (IdM root CA)
    To select a sub-CA, use the --ca option with the ipa cert-request command.
For further details, see the output of the ipa cert-request --help command.

24.1.2. Revoking Certificates with the Integrated IdM CAs
Copia collegamento

If you need to invalidate the certificate before its expiration date, you can revoke it. To revoke a certificate using:
A revoked certificate is invalid and cannot be used for authentication. All revocations are permanent, except for reason 6: Certificate Hold.
Expand
Table 24.1. Revocation Reasons
ID Reason Explanation
0 Unspecified
1 Key Compromised
The key that issued the certificate is no longer trusted.
Possible causes: lost token, improperly accessed file.
2 CA Compromised The CA that issued the certificate is no longer trusted.
3 Affiliation Changed
Possible causes:
  • A person has left the company or moved to another department.
  • A host or service is being retired.
4 Superseded A newer certificate has replaced the current certificate.
5 Cessation of Operation The host or service is being decommissioned.
6 Certificate Hold The certificate is temporarily revoked. You can restore the certificate later.
8 Remove from CRL The certificate is not included in the certificate revocation list (CRL).
9 Privilege Withdrawn The user, host, or service is no longer permitted to use the certificate.
10 Attribute Authority (AA) Compromise The AA certificate is no longer trusted.

Web UI: Revoking Certificates

To revoke a certificate:
  1. Open the Authentication tab, and select the Certificates subtab.
  2. Click the serial number of the certificate to open the certificate information page.

    Figure 24.2. List of Certificates

    List of Certificates
    View larger image
    List of Certificates
  3. Click Actions Revoke Certificate.
  4. Select the reason for revoking, and click Revoke. See Table 24.1, “Revocation Reasons” for details.

Command Line: Revoking Certificates

Use the ipa cert-revoke command, and specify:
For example, to revoke the certificate with serial number 1032 because of reason 1: Key Compromised: 
$ ipa cert-revoke 1032 --revocation-reason=1
Copy to Clipboard Toggle word wrap

24.1.3. Restoring Certificates with the Integrated IdM CAs
Copia collegamento

If you have revoked a certificate because of reason 6: Certificate Hold, you can restore it again. To restore a certificate using:

Web UI: Restoring Certificates

  1. Open the Authentication tab, and select the Certificates subtab.
  2. Click the serial number of the certificate to open the certificate information page.

    Figure 24.3. List of Certificates

    List of Certificates
    View larger image
    List of Certificates
  3. Click Actions Restore Certificate.

Command Line: Restoring Certificates

Use the ipa cert-remove-hold command and specify the certificate serial number. For example: 
$ ipa cert-remove-hold 1032
Copy to Clipboard Toggle word wrap
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat