Hello,
I need to issue some certificates for the AD Environment and I don’t have ADCS in place. So my FreeIPA deployment was with a self signed CA and the common AD Trust enabled.
Now with this issue I’m looking on the IPA’s documentation and there’s some recommendations to deploy IPA as as subCA from ADCS, but as as I said, I don’t have it. So I was thinking if it’s possible to issue certificates for Windows machines directly form FreeIPA, and if this is recommended or not.
If it’s possible but it will be a hassle, there’s a way to make FreeIPA talk with ADCS after the deployment? I can setup an ADCS instance to keep Windows certificates in a separate location.
I saw this post: https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-integra... but I don’t think it’s the same issue here; the valuable info that I found on this site is about trusting the FreeIPA CA certificate on Windows environment: "Operationally there is one additional step when the IPA CA is not subordinate to the AD CA: the IPA CA certificate has to be explicitly trusted.”; but the use case does not seems to be on a Windows system.
Thanks for any guidance.
On Sat, Jul 18, 2020 at 12:45:03AM +0000, Vinícius Ferrão via FreeIPA-users wrote:
Hello,
I need to issue some certificates for the AD Environment and I don’t have ADCS in place. So my FreeIPA deployment was with a self signed CA and the common AD Trust enabled.
Now with this issue I’m looking on the IPA’s documentation and there’s some recommendations to deploy IPA as as subCA from ADCS, but as as I said, I don’t have it. So I was thinking if it’s possible to issue certificates for Windows machines directly form FreeIPA, and if this is recommended or not.
If it’s possible but it will be a hassle, there’s a way to make FreeIPA talk with ADCS after the deployment? I can setup an ADCS instance to keep Windows certificates in a separate location.
I saw this post: https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-integra... but I don’t think it’s the same issue here; the valuable info that I found on this site is about trusting the FreeIPA CA certificate on Windows environment: "Operationally there is one additional step when the IPA CA is not subordinate to the AD CA: the IPA CA certificate has to be explicitly trusted.”; but the use case does not seems to be on a Windows system.
Thanks for any guidance.
Hi Vinícius,
FreeIPA does not support the enrolment protocols used by Windows systems. You might ahve an easier time using AD-CS. If you decide to use AD-CS you have three options on how to relate the PKIs:
a) Have AD-CS as a separate PKI. You will need to add the AD-CS CA cert to IPA's trust store and vice-versa.
b) Re-chain the IPA CA to become a subordinate of the AD-CS CA.
c) Make AD-CS a subordinate of the IPA CA. See [1] for how to issue subordinate CA certs from FreeIPA.
[1] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
If you decide to continue without AD-CS, we can help with issuance (the profile configuration, CA ACLs, etc) but I have no idea about the procedure on the Windows side (creating the CSR, installing the certificate, etc).
Cheers, Fraser
Hi Fraser, I think I will go with the option a). It appears to be simpler one and I can ditch AD in the future if IPA became good enough to replace it. So they aren’t tied.
Thank you.
PS: You’re the same guy of the link.
On 19 Jul 2020, at 23:22, Fraser Tweedale ftweedal@redhat.com wrote:
On Sat, Jul 18, 2020 at 12:45:03AM +0000, Vinícius Ferrão via FreeIPA-users wrote:
Hello,
I need to issue some certificates for the AD Environment and I don’t have ADCS in place. So my FreeIPA deployment was with a self signed CA and the common AD Trust enabled.
Now with this issue I’m looking on the IPA’s documentation and there’s some recommendations to deploy IPA as as subCA from ADCS, but as as I said, I don’t have it. So I was thinking if it’s possible to issue certificates for Windows machines directly form FreeIPA, and if this is recommended or not.
If it’s possible but it will be a hassle, there’s a way to make FreeIPA talk with ADCS after the deployment? I can setup an ADCS instance to keep Windows certificates in a separate location.
I saw this post: https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-integra... but I don’t think it’s the same issue here; the valuable info that I found on this site is about trusting the FreeIPA CA certificate on Windows environment: "Operationally there is one additional step when the IPA CA is not subordinate to the AD CA: the IPA CA certificate has to be explicitly trusted.”; but the use case does not seems to be on a Windows system.
Thanks for any guidance.
Hi Vinícius,
FreeIPA does not support the enrolment protocols used by Windows systems. You might ahve an easier time using AD-CS. If you decide to use AD-CS you have three options on how to relate the PKIs:
a) Have AD-CS as a separate PKI. You will need to add the AD-CS CA cert to IPA's trust store and vice-versa.
b) Re-chain the IPA CA to become a subordinate of the AD-CS CA.
c) Make AD-CS a subordinate of the IPA CA. See [1] for how to issue subordinate CA certs from FreeIPA.
[1] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
If you decide to continue without AD-CS, we can help with issuance (the profile configuration, CA ACLs, etc) but I have no idea about the procedure on the Windows side (creating the CSR, installing the certificate, etc).
Cheers, Fraser
freeipa-users@lists.fedorahosted.org