Hello,
I would like to know if someone was able to use OpenSSH with certificates managed from the Dogtag CA of FreeIPA.
My goal is to be able to issue certificates for users and perhaps using host keys generated from this CA. I know this may be redundant since FreeIPA already manage host keys, but since the CA is already in-place, why not?
My question is just to know if someone made this, or if someone already tried this and it was broken or unsupported.
Thanks all.
PS: If someone want to just say: leave that, it’s useless. I’m open to hear about it.
On pe, 22 marras 2019, Vinícius Ferrão via FreeIPA-users wrote:
Hello,
I would like to know if someone was able to use OpenSSH with certificates managed from the Dogtag CA of FreeIPA.
My goal is to be able to issue certificates for users and perhaps using host keys generated from this CA. I know this may be redundant since FreeIPA already manage host keys, but since the CA is already in-place, why not?
My question is just to know if someone made this, or if someone already tried this and it was broken or unsupported.
Thanks all.
PS: If someone want to just say: leave that, it’s useless. I’m open to hear about it.
Not to disappoint but use of 'CA certificates' by OpenSSH for naming OpenSSH keys is one of sources of confusion. I found https://blog.habets.se/2011/07/OpenSSH-certificates.html useful when understanding what it is.
In short, they aren't anything close to x.509 formats and cannot be issued or signed by Dogtag (or any other normal CA).
On 22 Nov 2019, at 15:07, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 22 marras 2019, Vinícius Ferrão via FreeIPA-users wrote:
Hello,
I would like to know if someone was able to use OpenSSH with certificates managed from the Dogtag CA of FreeIPA.
My goal is to be able to issue certificates for users and perhaps using host keys generated from this CA. I know this may be redundant since FreeIPA already manage host keys, but since the CA is already in-place, why not?
My question is just to know if someone made this, or if someone already tried this and it was broken or unsupported.
Thanks all.
PS: If someone want to just say: leave that, it’s useless. I’m open to hear about it.
Not to disappoint but use of 'CA certificates' by OpenSSH for naming OpenSSH keys is one of sources of confusion. I found https://blog.habets.se/2011/07/OpenSSH-certificates.html useful when understanding what it is.
In short, they aren't anything close to x.509 formats and cannot be issued or signed by Dogtag (or any other normal CA).
Thanks Alexander. I will throw the idea on the bin.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org