Are you using PKI in your infrastructure?
With the increased demand for stronger security methods through compliance such as PCI, FIPS, Common Criteria, and others, the need for in-house certificate creation and management is becoming more necessary. While Red Hat offers the ability to create a managed CA through IPA in Red Hat Enterprise Linux 6, as well as their stand-alone product of Certificate System, I am curious; how others are handling the need to manage complex certificate management requirements? For what purpose are you using certificates? Simply for SSL encryption? Server certs? Signing emails? Identity management?
Responses
Can you point to any documentation supporting creating a managed CA through IPA in Red Hat Enterprise Linux 6?
I've asked various folks about this previously and was told that the CA in IPA is for internal use only and not to be used for typical signing actions. Has this changed?
Hello,
Generally the Dogtag instance of IPA is is limited to what IPA wants to do. However it is possible to add external host and generate certificate for it.
For example :
# ipa host-add --ip-address=192.168.166.31 client1.example.com
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-host-entry-cmd
This will create DNS host A record for client1.example.com. Ensure that example.com DNS zone is added to IPA, in case the FQDN do not match to IPA domain or DNS zone is not added previously.
Here is the sample command to add DNS zone in IPA
1.Add the new zone. For example:
# ipa dnszone-add example.com --admin-email=admin@example.com --minimum=3000 --dynamic-update=TRUE
2. Reload the name service.
# rndc reload
Refer
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#Managing_DNS_Zones-Adding_DNS_Zones-cmd
Once the host entry is successfully added in IPA. You can add get host certificate or certificate for particular service.
For example :
# ipa service-add HTTP/server.example.com
# ipa cert-request --principal=HTTP/web.example.com example.csr
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/client1.example.com -N 'CN=client1.example.com,O=EXAMPLE.COM'
Refer :
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#request-service-service-cmd
From IPA web UI use the following command :
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#request-service-service-ui
Hope this helps.
Best Regards,
Nirupama
The organizations I provide services to make heavy use of PKI. While PKI is used for protecting transmissions, it's also used for access-control. Your client certificates are essentially your passport to enterprise services. You access to a given subset of those services depends greatly on what's been encoded into your client certificates.
Also, while these organizations have a large UNIX and Linux presence, they are mostly Windows-oriented when it comes to centralized services' management. This means integrating the UNIX and Linux platforms (and applications running on them) to work with Windows-centric services. While there's room for other services to play, for the most part, those other services have had to be child-solutions and to mesh neatly and easily with the upstream, Windows-oriented solutions. To date, the Red Hat infrastructure components haven't played particularly well in that context.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
