红帽全球峰会32.2. Certificates internal to IdM
Your internal certificates can depend on how you installed IdM and what components were included in that installation. Depending on that installation, you might have the following certificates stored on your system.
IdM CA certificate
The IdM CA certificate is used by IdM to sign all other certificates. Note that it is not present in CA-less installations.
| caSigningCert | Description |
|---|---|
| File system location |
|
| LDAP location |
|
| Issuer | Self-signed or signed by an external CA |
| Subject |
Note that this is the default value but it can be customized during the IdM server installation. |
| Additional information |
Must have |
External CA certificate
If you are using an external CA, the chain of external CAs must be available in IdM to validate IdM certificates. For a CA-less installation, the external CA certificate must be present in various locations, including LDAP and in the /etc/ipa/ca.crt directory to validate HTTPD and LDAP certificates.
You do not have to manually add the external CA certificate to all the required locations as it is done automatically during the installation. However, if the external CA certificate is updated later, you should follow the steps in Renewing the IdM CA renewal server certificate using an external CA to ensure the new certificate is added to every location where it is required.
| External certificate | Description |
|---|---|
| File system location |
|
| LDAP location |
|
| Issuer | External CA-signed |
| Subject | External CA subject |
| Additional information |
You must have all the certificates in the chain in DER format and you must import them into LDAP. Must have |
Subsystem CA certificate
This certificate is used to authenticate to the LDAP server when writing to the LDAP database. This certificate is not present in CA-less installations.
| subsystemCert | Description |
|---|---|
| File system location |
|
| LDAP location |
|
| Issuer | IPA CA |
| Subject |
|
| Additional information |
Be wary of a serial and blob mismatch in LDAP. For example, |
Audit signing certificate
This certificate is used to sign the audit logs. Note that it is not present in CA-less installations.
| auditSigningCert | Description |
|---|---|
| File system location |
|
| LDAP location |
No dedicated LDAP location, shared via |
| Issuer | IPA CA |
| Subject |
|
| Additional information |
Must have |
OCSP signing certificate
This certificate is used to provide Online Certificate Status Protocol (OCSP) services. Note that it is not present in CA-less installations.
| ocspSigningCert | Description |
|---|---|
| File system location |
|
| LDAP location |
No dedicated LDAP location, shared via |
| Issuer | IPA CA |
| Subject |
|
Tomcat servlet certificate
This certificate is used when a client contacts the PKI. Note that this server certificate is specific to the host and it is not present in CA-less installations.
| Server-Cert | Description |
|---|---|
| File system location |
|
| LDAP location | |
| Issuer | IPA CA |
| Subject | CN=$HOSTNAME,O=REALM.NAME |
Registration authority certificate
Certificate used by certmonger as well as by the IdM framework to authenticate to the PKI. For example, if you run ipa cert-show 1, HTTPD communicates with the PKI and authenticates with this certificate. Not present in CA-less installations.
| RA agent | Description |
|---|---|
| File system location |
|
| LDAP location |
|
| Issuer | IPA CA |
| Subject |
|
| Additional information |
Be wary of a serial and blob mismatch in LDAP. For example, |
HTTPD front end certificate
Certificate used for the HTTPD frontend to secure connections to the Web UI and API. Must be present.
| HTTPD | Description |
|---|---|
| File system location |
|
| LDAP location | |
| Issuer | IPA CA or external CA in CA-less installations |
| Subject |
|
| The extensions that the certificate must contain |
|
LDAP TLS and STARTTLS certificate
Certificate used for LDAP TLS and STARTTLS connections. Must be present.
| LDAP | Description |
|---|---|
| File system location |
|
| LDAP location | |
| Issuer | IPA CA or external CA in CA-less installations |
| Subject |
|
| The extensions that the certificate must contain |
|
KDC certificate
Certificate used for PKINIT for the IdM KDC.
| KDC | Description |
|---|---|
| File system location |
|
| LDAP location | |
| Issuer | IPA CA or external CA in CA-less installations |
| Subject |
|
| Additional information |
Must have extended key usage |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}