Hey Guys,
I want to use the IPA CA for PKI on some of our web services( mostly of premises - that's why )
What I do not know is: 1. How to add a profile id for certificate generation for the user so he/she can paste a CSR and get a certificate. 2. How to turn on/off automatic signing. ( I would like to review the request before signing ) 3. How can I export the IPA revocation list so it's compliant with servers (CRL format) 4. If this a bad idea?
Maciej Drobniuch via FreeIPA-users wrote:
Hey Guys,
I want to use the IPA CA for PKI on some of our web services( mostly of premises - that's why )
What I do not know is:
- How to add a profile id for certificate generation for the user so
he/she can paste a CSR and get a certificate.
https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom...
- How to turn on/off automatic signing. ( I would like to review the
request before signing )
No way to do that sort of workflow in IPA right now. You might be able to figure out how to do it in dogtag directly but you'd be off the edge of the map and wouldn't have any support for it.
- How can I export the IPA revocation list so it's compliant with
servers (CRL format)
It already exists at http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
- If this a bad idea?
Not really.
You might want to look into Sub-CAs as well so you have have a different subject for your user CA.
rob
Hi Maciej,
I concur with the answers in Rob's reply. But I have one question.
On Thu, May 17, 2018 at 04:03:36PM +0200, Maciej Drobniuch via FreeIPA-users wrote:
- How can I export the IPA revocation list so it's compliant with servers
(CRL format)
What do you mean by "compliant with servers"?
Thanks, Fraser
Hey Fraser,
That it is in CRL format.
BR Maciej
On Fri, May 18, 2018 at 6:18 AM, Fraser Tweedale ftweedal@redhat.com wrote:
Hi Maciej,
I concur with the answers in Rob's reply. But I have one question.
On Thu, May 17, 2018 at 04:03:36PM +0200, Maciej Drobniuch via FreeIPA-users wrote:
- How can I export the IPA revocation list so it's compliant with
servers
(CRL format)
What do you mean by "compliant with servers"?
Thanks, Fraser
Maciej Drobniuch via FreeIPA-users wrote:
Hey Fraser,
That it is in CRL format.
Then yes.
rob
BR Maciej
On Fri, May 18, 2018 at 6:18 AM, Fraser Tweedale <ftweedal@redhat.com mailto:ftweedal@redhat.com> wrote:
Hi Maciej, I concur with the answers in Rob's reply. But I have one question. On Thu, May 17, 2018 at 04:03:36PM +0200, Maciej Drobniuch via FreeIPA-users wrote: > 3. How can I export the IPA revocation list so it's compliant with servers > (CRL format) > What do you mean by "compliant with servers"? Thanks, Fraser-- Best regards
Maciej Drobniuch Network Security Engineer Collective-Sense,LLC
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
Maciej Drobniuch -
Rob Crittenden