Hello,
I am looking at using FreeIPA without CA, using external signed certificates, reading the documentations it looks possible using —dirsrv-certfile, —http-cert-file and —point-certfile. Should I just create a CSR for the hostname by by hand and get it signed? Also is there any good reason for having different certs for http, ldap and pkinit? Can I just use one certificate for all services and for all servers and replicas using Subject Alternative Names?
Regards Henrik
It would create CSR for you on install.
On Wed, Oct 31, 2018 at 1:22 PM Henrik Johansson via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello,
I am looking at using FreeIPA without CA, using external signed certificates, reading the documentations it looks possible using —dirsrv-certfile, —http-cert-file and —point-certfile. Should I just create a CSR for the hostname by by hand and get it signed? Also is there any good reason for having different certs for http, ldap and pkinit? Can I just use one certificate for all services and for all servers and replicas using Subject Alternative Names?
Regards Henrik _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
It would create CSR for you on install.
When are they generated? I know it does that when configuring IPA as a sub-CA with “—external-ca", but without any CA I am supposed to specify the certificates when running ipa-server-install?
"You must request these certificates from a third-party authority prior to the installation: An LDAP server certificate and a private key
An Apache server certificate and a private key
Full CA certificate chain of the CA that issued the LDAP and Apache server certificates”
And the only options relate to this seems to be the ones specifying the location of the certificates to use?
Thanks Henrik
Henrik Johansson via FreeIPA-users wrote:
On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
It would create CSR for you on install.
When are they generated? I know it does that when configuring IPA as a sub-CA with “—external-ca", but without any CA I am supposed to specify the certificates when running ipa-server-install?
A CSR is not generated in the CAless case. You have to provide a PKCS#12 file containing the private key and certificate for each type of certificate required (yes you can use the same for LDAP and HTTP). The CA chain can be provided using --ca-cert-file IIRC. Where this comes from is up to you.
"You must request these certificates from a third-party authority prior to the installation:
An LDAP server certificate and a private key
An Apache server certificate and a private key
Full CA certificate chain of the CA that issued the LDAP and Apache server certificates”
And the only options relate to this seems to be the ones specifying the location of the certificates to use?
Correct. AND you have to do the same when setting up any replicas.
rob
On Wed, Oct 31, 2018 at 11:58:57AM -0400, Rob Crittenden via FreeIPA-users wrote:
Henrik Johansson via FreeIPA-users wrote:
On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
It would create CSR for you on install.
When are they generated? I know it does that when configuring IPA as a sub-CA with “—external-ca", but without any CA I am supposed to specify the certificates when running ipa-server-install?
A CSR is not generated in the CAless case. You have to provide a PKCS#12 file containing the private key and certificate for each type of certificate required (yes you can use the same for LDAP and HTTP). The CA chain can be provided using --ca-cert-file IIRC. Where this comes from is up to you.
Note that you'll have a hard time getting a certificate signed by a public CA with the approriate Extended Key Usage and Subject Alternative Name values for a KDC certificate. If you are getting certificates from some other internal CA controlled by your organisation, no worries. Otherwise, you'll have do make do without Kerberos PKINIT support.
Cheers, Fraser
"You must request these certificates from a third-party authority prior to the installation:
An LDAP server certificate and a private key
An Apache server certificate and a private key
Full CA certificate chain of the CA that issued the LDAP and Apache server certificates”
And the only options relate to this seems to be the ones specifying the location of the certificates to use?
Correct. AND you have to do the same when setting up any replicas.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 1 Nov 2018, at 00:51, Fraser Tweedale ftweedal@redhat.com wrote:
Note that you'll have a hard time getting a certificate signed by a public CA with the approriate Extended Key Usage and Subject Alternative Name values for a KDC certificate. If you are getting certificates from some other internal CA controlled by your organisation, no worries. Otherwise, you'll have do make do without Kerberos PKINIT support.
Thanks, you mean the UPN: kbtgt/DOMAIN.NET@DOMAINN.NET part?
We have an intetrnal CA, i guess i’ll try to generate a CSR with certutil and submit it. It will be quite a few UPN/SAN if I want one certificate for all servers for LDAP/HTTP and PKINI respectability. Maybe have two per servers and a common name for a load balancer in each certificate, this is really not my area of expertise, it was so much easier with the provided CA in IPA :)
Regards Henrik
On to, 01 marras 2018, Henrik Stigendal via FreeIPA-users wrote:
On 1 Nov 2018, at 00:51, Fraser Tweedale ftweedal@redhat.com wrote:
Note that you'll have a hard time getting a certificate signed by a public CA with the approriate Extended Key Usage and Subject Alternative Name values for a KDC certificate. If you are getting certificates from some other internal CA controlled by your organisation, no worries. Otherwise, you'll have do make do without Kerberos PKINIT support.
Thanks, you mean the UPN: kbtgt/DOMAIN.NET@DOMAINN.NET part?
We have an intetrnal CA, i guess i’ll try to generate a CSR with certutil and submit it. It will be quite a few UPN/SAN if I want one certificate for all servers for LDAP/HTTP and PKINI respectability. Maybe have two per servers and a common name for a load balancer in each certificate, this is really not my area of expertise, it was so much easier with the provided CA in IPA :)
If you have an internal CA, it would be much easier to get that CA to sign IPA CA as a sub-CA. Then clients will trust IPA CA-issued certificates if they trust internal CA already.
On 1 Nov 2018, at 10:39, Alexander Bokovoy abokovoy@redhat.com wrote:
Thanks, you mean the UPN: kbtgt/DOMAIN.NET@DOMAINN.NET part?
We have an intetrnal CA, i guess i’ll try to generate a CSR with certutil and submit it. It will be quite a few UPN/SAN if I want one certificate for all servers for LDAP/HTTP and PKINI respectability. Maybe have two per servers and a common name for a load balancer in each certificate, this is really not my area of expertise, it was so much easier with the provided CA in IPA :)
If you have an internal CA, it would be much easier to get that CA to sign IPA CA as a sub-CA. Then clients will trust IPA CA-issued certificates if they trust internal CA already.
I would love to but they are not very keen on giving me a sub-CA and if they do they want med to throw always the keys into HSM:s which I don’t have.
This does not seem like an common configuration, maybe I will create a temporary CA that I control to find out exactly how the requests should look, otherwise there will be trail and error with real certificates and wait times for every certificate.
Thanks Henrik
On ke, 31 loka 2018, Henrik Johansson via FreeIPA-users wrote:
Hello,
I am looking at using FreeIPA without CA, using external signed certificates, reading the documentations it looks possible using —dirsrv-certfile, —http-cert-file and —point-certfile. Should I just create a CSR for the hostname by by hand and get it signed? Also is there any good reason for having different certs for http, ldap and pkinit? Can I just use one certificate for all services and for all servers and replicas using Subject Alternative Names?
For the latter part, it is better to separate PKINIT cert out. It requires very specific Kerberos principal name in the certificate.
For HTTP and LDAP you can reuse the same certificate.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Andrey Bondarenko -
Fraser Tweedale -
Henrik Johansson -
Henrik Stigendal
-
Rob Crittenden