hi guys,
I'm starting to look more thoroughly into CA and something I'm not sure is possible, and hoping you could shed more light onto, is - having IPA deployed with own CA is it possible to then, at a later point, move/migrate/change IPA to subordinate type of CA with AD's CA as root?
Is such a change a SOP or rather something undocumented-unsupported but possible & risky?
many thanks, L.
On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote:
hi guys,
I'm starting to look more thoroughly into CA and something I'm not sure is possible, and hoping you could shed more light onto, is - having IPA deployed with own CA is it possible to then, at a later point, move/migrate/change IPA to subordinate type of CA with AD's CA as root?
Is such a change a SOP or rather something undocumented-unsupported but possible & risky?
It is possible and is a routine action. [1] https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-mas...
[2] https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
[3] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
See also https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_exter... -- these are our tests of this feature which run for every pull request. Look at TestSelfExternalSelf suite, it should be more or less self-explanatory.
On 20/06/2019 14:38, Alexander Bokovoy wrote:
On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote:
hi guys,
I'm starting to look more thoroughly into CA and something I'm not sure is possible, and hoping you could shed more light onto, is - having IPA deployed with own CA is it possible to then, at a later point, move/migrate/change IPA to subordinate type of CA with AD's CA as root?
Is such a change a SOP or rather something undocumented-unsupported but possible & risky?
It is possible and is a routine action. [1] https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-mas...
[2] https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
[3] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
See also https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_exter...
-- these are our tests of this feature which run for every pull request. Look at TestSelfExternalSelf suite, it should be more or less self-explanatory.
okey, great, that should help, many! thanks.
I've just thumbed through it - either I missed it or it's not there, to clearly get the process, as I mentioned earlier, of move/migrate/change IPA's CA/PKI to Win AD.
Does IPA CA has to be removed, demoted first or clean setup without CA is required in order to tap into AD's?
On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote:
On 20/06/2019 14:38, Alexander Bokovoy wrote:
On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote:
hi guys,
I'm starting to look more thoroughly into CA and something I'm not sure is possible, and hoping you could shed more light onto, is - having IPA deployed with own CA is it possible to then, at a later point, move/migrate/change IPA to subordinate type of CA with AD's CA as root?
Is such a change a SOP or rather something undocumented-unsupported but possible & risky?
It is possible and is a routine action. [1] https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-mas...
[2] https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
[3] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
See also https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_exter...
-- these are our tests of this feature which run for every pull request. Look at TestSelfExternalSelf suite, it should be more or less self-explanatory.
okey, great, that should help, many! thanks.
I've just thumbed through it - either I missed it or it's not there, to clearly get the process, as I mentioned earlier, of move/migrate/change IPA's CA/PKI to Win AD.
Does IPA CA has to be removed, demoted first or clean setup without CA is required in order to tap into AD's?
It is up to you. The process to switch to an external CA is the same, use 'ipa-cacert-manage renew' command:
Step 1: # ipa-cacert-manage renew --external-ca-type ms-cs \ --external-ca-profile MySubCA Exporting CA certificate signing request, please wait
Step 2 is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
# ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful
This is all described in the Fraser's blog [2] above.
On 02/07/2019 13:13, Alexander Bokovoy wrote:
On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote:
On 20/06/2019 14:38, Alexander Bokovoy wrote:
On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote:
hi guys,
I'm starting to look more thoroughly into CA and something I'm not sure is possible, and hoping you could shed more light onto, is - having IPA deployed with own CA is it possible to then, at a later point, move/migrate/change IPA to subordinate type of CA with AD's CA as root?
Is such a change a SOP or rather something undocumented-unsupported but possible & risky?
It is possible and is a routine action. [1] https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-mas...
[2] https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
[3] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
See also https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_exter...
-- these are our tests of this feature which run for every pull request. Look at TestSelfExternalSelf suite, it should be more or less self-explanatory.
okey, great, that should help, many! thanks.
I've just thumbed through it - either I missed it or it's not there, to clearly get the process, as I mentioned earlier, of move/migrate/change IPA's CA/PKI to Win AD.
Does IPA CA has to be removed, demoted first or clean setup without CA is required in order to tap into AD's?
It is up to you. The process to switch to an external CA is the same, use 'ipa-cacert-manage renew' command:
Step 1: # ipa-cacert-manage renew --external-ca-type ms-cs \ --external-ca-profile MySubCA Exporting CA certificate signing request, please wait
Step 2 is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
# ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful
This is all described in the Fraser's blog [2] above.
No, not really, unless I've gone dumb & blind.
That post, very informative & helpful, shows how:
"Renewing the certificate FreeIPA provides the ipa-cacert-manage renew command for renewing an externally-signed CA certificate..."
"External CA installation in FreeIPA.
FreeIPA supports installation with an externally..."
And nowhere there is a mention about how to transition from IPA's CA to external AD. Again, I was asking how to move/migrate/change IPA's CA/PKI to Win AD.
When, like me, you have IPA's CA working, then does IPA CA have to be removed, demoted first or clean setup/reinstallation of IPA without CA is required in order to tap into AD's?
If I do:
$ ipa-cacert-manage renew --external-ca-type ms-cs --external-ca-profile MySubCA Renewing CA certificate, please wait You cannot specify --external-ca-type when renewing a self-signed CA The ipa-cacert-manage command failed.
Or there is a way to transition/move/migrate, however I should call it, to IPA external AD's CA from existing IPA's CA without dismantling whole IPA?
many thanks, L.
On 7/10/19 1:11 PM, lejeczek via FreeIPA-users wrote:
On 02/07/2019 13:13, Alexander Bokovoy wrote:
On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote:
On 20/06/2019 14:38, Alexander Bokovoy wrote:
On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote:
hi guys,
I'm starting to look more thoroughly into CA and something I'm not sure is possible, and hoping you could shed more light onto, is - having IPA deployed with own CA is it possible to then, at a later point, move/migrate/change IPA to subordinate type of CA with AD's CA as root?
Is such a change a SOP or rather something undocumented-unsupported but possible & risky?
It is possible and is a routine action. [1] https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-mas...
[2] https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
[3] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
See also https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_exter...
-- these are our tests of this feature which run for every pull request. Look at TestSelfExternalSelf suite, it should be more or less self-explanatory.
okey, great, that should help, many! thanks.
I've just thumbed through it - either I missed it or it's not there, to clearly get the process, as I mentioned earlier, of move/migrate/change IPA's CA/PKI to Win AD.
Does IPA CA has to be removed, demoted first or clean setup without CA is required in order to tap into AD's?
It is up to you. The process to switch to an external CA is the same, use 'ipa-cacert-manage renew' command:
Step 1: # ipa-cacert-manage renew --external-ca-type ms-cs \ --external-ca-profile MySubCA Exporting CA certificate signing request, please wait
Step 2 is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
# ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful
This is all described in the Fraser's blog [2] above.
No, not really, unless I've gone dumb & blind.
That post, very informative & helpful, shows how:
"Renewing the certificate
FreeIPA provides the ipa-cacert-manage renew command for renewing an externally-signed CA certificate..."
"External CA installation in FreeIPA.
FreeIPA supports installation with an externally..."
And nowhere there is a mention about how to transition from IPA's CA to external AD. Again, I was asking how to move/migrate/change IPA's CA/PKI to Win AD.
When, like me, you have IPA's CA working, then does IPA CA have to be removed, demoted first or clean setup/reinstallation of IPA without CA is required in order to tap into AD's?
If I do:
$ ipa-cacert-manage renew --external-ca-type ms-cs --external-ca-profile MySubCA Renewing CA certificate, please wait You cannot specify --external-ca-type when renewing a self-signed CA The ipa-cacert-manage command failed.
Or there is a way to transition/move/migrate, however I should call it, to IPA external AD's CA from existing IPA's CA without dismantling whole IPA?
many thanks, L.
Hi, please have a look at [1] Changing the Certificate chain: ----8<---- Self-signed CA certificate → externally-signed CA certificate Add the --external-ca option to ipa-cacert-manage renew. This renews the self-signed CA certificate as an externally-signed CA certificate. For details on running the command with this option, see Section 26.2.2, “Renewing CA Certificates Manually”. ---->8----
you need to specify --external-ca --external-ca-type ms-cs --external-ca-profile MySubCA
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Wed, Jul 10, 2019 at 04:55:29PM +0200, Florence Blanc-Renaud via FreeIPA-users wrote:
On 7/10/19 1:11 PM, lejeczek via FreeIPA-users wrote:
On 02/07/2019 13:13, Alexander Bokovoy wrote:
On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote:
On 20/06/2019 14:38, Alexander Bokovoy wrote:
On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote:
hi guys,
I'm starting to look more thoroughly into CA and something I'm not sure is possible, and hoping you could shed more light onto, is - having IPA deployed with own CA is it possible to then, at a later point, move/migrate/change IPA to subordinate type of CA with AD's CA as root?
Is such a change a SOP or rather something undocumented-unsupported but possible & risky?
It is possible and is a routine action. [1] https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-mas...
[2] https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
[3] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
See also https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_exter...
-- these are our tests of this feature which run for every pull request. Look at TestSelfExternalSelf suite, it should be more or less self-explanatory.
okey, great, that should help, many! thanks.
I've just thumbed through it - either I missed it or it's not there, to clearly get the process, as I mentioned earlier, of move/migrate/change IPA's CA/PKI to Win AD.
Does IPA CA has to be removed, demoted first or clean setup without CA is required in order to tap into AD's?
It is up to you. The process to switch to an external CA is the same, use 'ipa-cacert-manage renew' command:
Step 1: # ipa-cacert-manage renew --external-ca-type ms-cs \ --external-ca-profile MySubCA Exporting CA certificate signing request, please wait
Step 2 is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
# ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful
This is all described in the Fraser's blog [2] above.
No, not really, unless I've gone dumb & blind.
That post, very informative & helpful, shows how:
"Renewing the certificate FreeIPA provides the ipa-cacert-manage renew command for renewing an externally-signed CA certificate..."
"External CA installation in FreeIPA.
FreeIPA supports installation with an externally..."
And nowhere there is a mention about how to transition from IPA's CA to external AD. Again, I was asking how to move/migrate/change IPA's CA/PKI to Win AD.
When, like me, you have IPA's CA working, then does IPA CA have to be removed, demoted first or clean setup/reinstallation of IPA without CA is required in order to tap into AD's?
If I do:
$ ipa-cacert-manage renew --external-ca-type ms-cs --external-ca-profile MySubCA Renewing CA certificate, please wait You cannot specify --external-ca-type when renewing a self-signed CA The ipa-cacert-manage command failed.
Or there is a way to transition/move/migrate, however I should call it, to IPA external AD's CA from existing IPA's CA without dismantling whole IPA?
many thanks, L.
Hi, please have a look at [1] Changing the Certificate chain: ----8<---- Self-signed CA certificate → externally-signed CA certificate Add the --external-ca option to ipa-cacert-manage renew. This renews the self-signed CA certificate as an externally-signed CA certificate. For details on running the command with this option, see Section 26.2.2, “Renewing CA Certificates Manually”. ---->8----
you need to specify --external-ca --external-ca-type ms-cs --external-ca-profile MySubCA
But replace "MySubCA" with the appropriate template name. Or leave it out if the default template name ("SubCA") is correct. You can also specify template by OID. Read `man 1 ipa-cacert-manage` for full details.
Cheers, Fraser
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 11/07/2019 01:42, Fraser Tweedale via FreeIPA-users wrote:
On Wed, Jul 10, 2019 at 04:55:29PM +0200, Florence Blanc-Renaud via FreeIPA-users wrote:
On 7/10/19 1:11 PM, lejeczek via FreeIPA-users wrote:
On 02/07/2019 13:13, Alexander Bokovoy wrote:
On ti, 02 heinä 2019, lejeczek via FreeIPA-users wrote:
On 20/06/2019 14:38, Alexander Bokovoy wrote:
On to, 20 kesä 2019, lejeczek via FreeIPA-users wrote: > hi guys, > > I'm starting to look more thoroughly into CA and something I'm not > sure > is possible, and hoping you could shed more light onto, is - having > IPA > deployed with own CA is it possible to then, at a later point, > move/migrate/change IPA to subordinate type of CA with AD's CA as > root? > > Is such a change a SOP or rather something undocumented-unsupported > but > possible & risky? It is possible and is a routine action. [1] https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-mas...
[2] https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
[3] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
See also https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_exter...
-- these are our tests of this feature which run for every pull request. Look at TestSelfExternalSelf suite, it should be more or less self-explanatory.
okey, great, that should help, many! thanks.
I've just thumbed through it - either I missed it or it's not there, to clearly get the process, as I mentioned earlier, of move/migrate/change IPA's CA/PKI to Win AD.
Does IPA CA has to be removed, demoted first or clean setup without CA is required in order to tap into AD's?
It is up to you. The process to switch to an external CA is the same, use 'ipa-cacert-manage renew' command:
Step 1: # ipa-cacert-manage renew --external-ca-type ms-cs \ --external-ca-profile MySubCA Exporting CA certificate signing request, please wait
Step 2 is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
# ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful
This is all described in the Fraser's blog [2] above.
No, not really, unless I've gone dumb & blind.
That post, very informative & helpful, shows how:
"Renewing the certificate FreeIPA provides the ipa-cacert-manage renew command for renewing an externally-signed CA certificate..."
"External CA installation in FreeIPA.
FreeIPA supports installation with an externally..."
And nowhere there is a mention about how to transition from IPA's CA to external AD. Again, I was asking how to move/migrate/change IPA's CA/PKI to Win AD.
When, like me, you have IPA's CA working, then does IPA CA have to be removed, demoted first or clean setup/reinstallation of IPA without CA is required in order to tap into AD's?
If I do:
$ ipa-cacert-manage renew --external-ca-type ms-cs --external-ca-profile MySubCA Renewing CA certificate, please wait You cannot specify --external-ca-type when renewing a self-signed CA The ipa-cacert-manage command failed.
Or there is a way to transition/move/migrate, however I should call it, to IPA external AD's CA from existing IPA's CA without dismantling whole IPA?
many thanks, L.
Hi, please have a look at [1] Changing the Certificate chain: ----8<---- Self-signed CA certificate → externally-signed CA certificate Add the --external-ca option to ipa-cacert-manage renew. This renews the self-signed CA certificate as an externally-signed CA certificate. For details on running the command with this option, see Section 26.2.2, “Renewing CA Certificates Manually”. ---->8----
you need to specify --external-ca --external-ca-type ms-cs --external-ca-profile MySubCA
But replace "MySubCA" with the appropriate template name. Or leave it out if the default template name ("SubCA") is correct. You can also specify template by OID. Read `man 1 ipa-cacert-manage` for full details.
Cheers, Fraser
AD's end - is "Appendix B: creating a custom sub-CA certificate template" a must-have or optional, and can be skipped over to "Appendix C: issuing a certificate"
I imagine quite a few of us, those who do not have control over AD domain and need to rely on those who have, must think that question.
many thanks, L.
ps. templetes/profiles - is there more one could read to understand what is SubCA, what is IPA's default profile, etc.?
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Wed, Jul 17, 2019 at 12:46:15PM +0100, lejeczek via FreeIPA-users wrote:
Hi, please have a look at [1] Changing the Certificate chain: ----8<---- Self-signed CA certificate → externally-signed CA certificate Add the --external-ca option to ipa-cacert-manage renew. This renews the self-signed CA certificate as an externally-signed CA certificate. For details on running the command with this option, see Section 26.2.2, “Renewing CA Certificates Manually”. ---->8----
you need to specify --external-ca --external-ca-type ms-cs --external-ca-profile MySubCA
But replace "MySubCA" with the appropriate template name. Or leave it out if the default template name ("SubCA") is correct. You can also specify template by OID. Read `man 1 ipa-cacert-manage` for full details.
Cheers, Fraser
AD's end - is "Appendix B: creating a custom sub-CA certificate template" a must-have or optional, and can be skipped over to "Appendix C: issuing a certificate"
I imagine quite a few of us, those who do not have control over AD domain and need to rely on those who have, must think that question.
It is not essential to use a custom sub-CA template for the IPA CA. The default ("SubCA") works just fine (subject to policy).
many thanks, L.
ps. templetes/profiles - is there more one could read to understand what is SubCA, what is IPA's default profile, etc.?
"Template" in AD and "profile" in IPA are the same concept: defining how to build the certificate to be issued, and constraints.
The AD "SubCA" template issues a CA certificate (Basic Constraints extension with CA: TRUE) signed by the AD CA. Common reasons to define a custom sub-CA template are to specify the pathLenConstraint (i.e. can the subject issue further sub-CAs?), or the Name Constraints extension (what namespaces can the subject issue certificates for?).
I don't know for sure if AD has a default template; I have only ever seen the template explicitly specified in the CSR but maybe there are other ways.
In IPA the default profile is "caIPAserviceCert" which is suitable for TLS services.
Cheers, Fraser
On 18/07/2019 00:49, Fraser Tweedale wrote:
On Wed, Jul 17, 2019 at 12:46:15PM +0100, lejeczek via FreeIPA-users wrote:
Hi, please have a look at [1] Changing the Certificate chain: ----8<---- Self-signed CA certificate → externally-signed CA certificate Add the --external-ca option to ipa-cacert-manage renew. This renews the self-signed CA certificate as an externally-signed CA certificate. For details on running the command with this option, see Section 26.2.2, “Renewing CA Certificates Manually”. ---->8----
you need to specify --external-ca --external-ca-type ms-cs --external-ca-profile MySubCA
But replace "MySubCA" with the appropriate template name. Or leave it out if the default template name ("SubCA") is correct. You can also specify template by OID. Read `man 1 ipa-cacert-manage` for full details.
Cheers, Fraser
AD's end - is "Appendix B: creating a custom sub-CA certificate template" a must-have or optional, and can be skipped over to "Appendix C: issuing a certificate"
I imagine quite a few of us, those who do not have control over AD domain and need to rely on those who have, must think that question.
It is not essential to use a custom sub-CA template for the IPA CA. The default ("SubCA") works just fine (subject to policy).
I confess I skipped it and just went straight to "submit request" and then back to IPA, which worked okey (sorry, UTF8 (win 2016) was the bit needed, without it "renew" failed)
How can one check, look for confirmation (apart from executed commands being successful), for peace of mind & curiosity, that AD is in IPA's cert chain?
many thanks, L.
ps. templetes/profiles - is there more one could read to understand what is SubCA, what is IPA's default profile, etc.?
"Template" in AD and "profile" in IPA are the same concept: defining how to build the certificate to be issued, and constraints.
The AD "SubCA" template issues a CA certificate (Basic Constraints extension with CA: TRUE) signed by the AD CA. Common reasons to define a custom sub-CA template are to specify the pathLenConstraint (i.e. can the subject issue further sub-CAs?), or the Name Constraints extension (what namespaces can the subject issue certificates for?).
I don't know for sure if AD has a default template; I have only ever seen the template explicitly specified in the CSR but maybe there are other ways.
In IPA the default profile is "caIPAserviceCert" which is suitable for TLS services.
Cheers, Fraser
Is changing the chain (apart from the risk attached to doing something, anything, and that something can go wrong) healthy? (security) eg. Having AD CA as root then changing to another AD, then maybe back to IPA's own.
many thanks, L.
lejeczek via FreeIPA-users wrote:
On 18/07/2019 00:49, Fraser Tweedale wrote:
On Wed, Jul 17, 2019 at 12:46:15PM +0100, lejeczek via FreeIPA-users wrote:
Hi, please have a look at [1] Changing the Certificate chain: ----8<---- Self-signed CA certificate → externally-signed CA certificate Add the --external-ca option to ipa-cacert-manage renew. This renews the self-signed CA certificate as an externally-signed CA certificate. For details on running the command with this option, see Section 26.2.2, “Renewing CA Certificates Manually”. ---->8----
you need to specify --external-ca --external-ca-type ms-cs --external-ca-profile MySubCA
But replace "MySubCA" with the appropriate template name. Or leave it out if the default template name ("SubCA") is correct. You can also specify template by OID. Read `man 1 ipa-cacert-manage` for full details.
Cheers, Fraser
AD's end - is "Appendix B: creating a custom sub-CA certificate template" a must-have or optional, and can be skipped over to "Appendix C: issuing a certificate"
I imagine quite a few of us, those who do not have control over AD domain and need to rely on those who have, must think that question.
It is not essential to use a custom sub-CA template for the IPA CA. The default ("SubCA") works just fine (subject to policy).
I confess I skipped it and just went straight to "submit request" and then back to IPA, which worked okey (sorry, UTF8 (win 2016) was the bit needed, without it "renew" failed)
How can one check, look for confirmation (apart from executed commands being successful), for peace of mind & curiosity, that AD is in IPA's cert chain?
Look at issuer in the IPA CA certificate. It should be the DN of the AD CA.
rob
many thanks, L.
ps. templetes/profiles - is there more one could read to understand what is SubCA, what is IPA's default profile, etc.?
"Template" in AD and "profile" in IPA are the same concept: defining how to build the certificate to be issued, and constraints.
The AD "SubCA" template issues a CA certificate (Basic Constraints extension with CA: TRUE) signed by the AD CA. Common reasons to define a custom sub-CA template are to specify the pathLenConstraint (i.e. can the subject issue further sub-CAs?), or the Name Constraints extension (what namespaces can the subject issue certificates for?).
I don't know for sure if AD has a default template; I have only ever seen the template explicitly specified in the CSR but maybe there are other ways.
In IPA the default profile is "caIPAserviceCert" which is suitable for TLS services.
Cheers, Fraser
Is changing the chain (apart from the risk attached to doing something, anything, and that something can go wrong) healthy? (security) eg. Having AD CA as root then changing to another AD, then maybe back to IPA's own.
many thanks, L.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Thu, Jul 18, 2019 at 10:02:00AM +0100, lejeczek via FreeIPA-users wrote:
Is changing the chain (apart from the risk attached to doing something, anything, and that something can go wrong) healthy? (security) eg. Having AD CA as root then changing to another AD, then maybe back to IPA's own.
many thanks, L.
Hi L,
It depends on your objectives. A common reason to re-chain is to move to a chain with an offline root or keys in HSM, or because your old external CA has been or will be decommissioned, and so on.
The risk of something going wrong is... low, if you know what to check for. Things that FreeIPA checks automatically, before accepting a new chaining, include:
- key sizes of all CAs in the chain are acceptable - signing algorithms of every CA in the chain are acceptable - Basic Constraints: CA: True on every cert in the chain - Sanity checking the PathLenConstraint - All certs have Subject Key Identifier - All certs are valid
Things you might need to check yourself include:
- All non-root certs have Authority Key Identifier matching issuer Subject Key Identifier
- Subject and Issuer DN string attribute encodings match up, and IPA CA Subject DN string attribute encodings have not changed. (See blog posts [1] and [2])
- Name constraints on all certs are appropriate (see blog post [3]).
- Probably lots of other things I haven't thought of
[1] https://frasertweedale.github.io/blog-redhat/posts/2018-03-15-x509-dn-attrib... [2] https://frasertweedale.github.io/blog-redhat/posts/2019-05-28-a-dn-is-not-a-... [3] https://frasertweedale.github.io/blog-redhat/posts/2019-01-29-name-constrain...
So... changing the chaining should not be done for its own sake. If you need to do it, do it. Otherwise, do not :)
Cheers, Fraser
freeipa-users@lists.fedorahosted.org