Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

24.5. Certificate Authority ACL Rules

Certificate Authority access control list (CA ACL) rules define which profiles can be used to issue certificates to which users, services, or hosts. By associating profiles, principals, and groups, CA ACLs permit principals or groups to request certificates using particular profiles:
  • an ACL can permit access to multiple profiles
  • an ACL can have multiple users, services, hosts, user groups, and host groups associated with it
For example, using CA ACLs, the administrator can restrict use of a profile intended for employees working from an office located in London only to users that are members of the London office-related group.
Note
By combining certificate profiles, described in Section 24.4, “Certificate Profiles”, and CA ACLs, the administrator can define and control access to custom certificate profiles. For a description of using profiles and CA ACLs to issue user certificates, see Section 24.6, “Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs”.

24.5.1. CA ACL Management from the Command Line

The caacl plug-in for management of CA ACL rules allows privileged users to add, display, modify, or delete a specified CA ACL. To display all commands supported by the plug-in, run the ipa caacl command:
$ ipa caacl
Manage CA ACL rules.

...

EXAMPLES:

  Create a CA ACL "test" that grants all users access to the
  "UserCert" profile:
    ipa caacl-add test --usercat=all
    ipa caacl-add-profile test --certprofiles UserCert

  Display the properties of a named CA ACL:
    ipa caacl-show test

  Create a CA ACL to let user "alice" use the "DNP3" profile on "DNP3-CA":
    ipa caacl-add alice_dnp3
    ipa caacl-add-ca alice_dnp3 --cas DNP3-CA
    ipa caacl-add-profile alice_dnp3 --certprofiles DNP3
    ipa caacl-add-user alice_dnp3 --user=alice
...
Note that to perform the caacl operations, you must be operating as a user who has the required permissions. IdM includes the following CA ACL-related permissions by default:
System: Read CA ACLs
Enables the user to read all attributes of the CA ACL.
System: Add CA ACL
Enables the user to add a new CA ACL.
System: Delete CA ACL
Enables the user to delete an existing CA ACL.
System: Modify CA ACL
Enables the user to modify an attribute of the CA ACL and to disable or enable the CA ACL.
System: Manage CA ACL membership
Enables the user to manage the CA, profile, user, host, and service membership in the CA ACL.
All these permissions are included in the default CA Administrator privilege. For more information on IdM role-based access controls and managing permissions, see Section 10.4, “Defining Role-Based Access Controls”.
This section describes only the most important aspects of using the ipa caacl commands for CA ACL management. For complete information about a command, run it with the --help option added, for example:
$ ipa caacl-mod --help
Usage: ipa [global-options] caacl-mod NAME [options]

Modify a CA ACL.
Options:
  -h, --help            show this help message and exit
  --desc=STR            Description
  --cacat=['all']       CA category the ACL applies to
  --profilecat=['all']  Profile category the ACL applies to
...

Creating CA ACLs

To create a new CA ACL, use the ipa caacl-add command. Running the command without any options starts an interactive session in which the ipa caacl-add script prompts your for the required information about the new CA ACL.
$ ipa caacl-add
ACL name: smime_acl
------------------------
Added CA ACL "smime_acl"
------------------------
  ACL name: smime_acl
  Enabled: TRUE
New CA ACLs are enabled by default.
The most notable options accepted by ipa caacl-add are the options that associate a CA ACL with a CA, certificate profile, user, host, or service category:
  • --cacat
  • --profilecat
  • --usercat
  • --hostcat
  • --servicecat
IdM only accepts the all value with these options, which associates the CA ACL with all CAs, profiles, users, hosts, or services. For example, to associate the CA ACL with all users and user groups:
$ ipa caacl-add ca_acl_name --usercat=all
CA, profile, user, host, and service categories are an alternative to adding particular objects or groups of objects to a CA ACL, which is described in the section called “Adding Entries to CA ACLs and Removing Entries from CA ACLs”. Note that it is not possible to use a category and also add objects or groups of the same type; for example, you cannot use the --usercat=all option and then add a user to the CA ACL with the ipa caacl-add-user --users=user_name command.
Note
Requesting a certificate for a user or group using a certificate profile fails if the user or group are not added to the corresponding CA ACL. For example:
$ ipa cert-request CSR-FILE --principal user --profile-id profile_id
ipa: ERROR Insufficient access: Principal 'user' is not permitted to use CA '.' with profile 'profile_id' for certificate issuance.
You must either add the user or group to the CA ACL, as described in the section called “Adding Entries to CA ACLs and Removing Entries from CA ACLs”, or associate the CA ACL with the all user category.

Displaying CA ACLs

To display all CA ACLs, use the ipa caacl-find command:
$ ipa caacl-find
-----------------
2 CA ACLs matched
-----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
...
Note that ipa caacl-find accepts the --cacat, --profilecat, --usercat, --hostcat, and --servicecat options, which can be used to filter the results of the search to CA ACLs with the corresponding CA, certificate profile, user, host, or service category. Note that IdM only accepts the all category with these options. For more information about the options, see the section called “Creating CA ACLs”.
To display information about a particular CA ACL, use the ipa caacl-show command:
$ ipa caacl-show ca_acl_name
  ACL name: ca_acl_name
  Enabled: TRUE
  Host category: all
...

Modifying CA ACLs

To modify an existing CA ACL, use the ipa caacl-mod command. Pass the required modifications using the command-line options accepted by ipa caacl-mod. For example, to modify the description of a CA ACL and associate the CA ACL with all certificate profiles:
$ ipa caacl-mod ca_acl_name --desc="New description" --profilecat=all
---------------------------
Modified CA ACL "ca_acl_name"
---------------------------
  ACL name: smime_acl
  Description: New description
  Enabled: TRUE
  Profile category: all
The most notable options accepted by ipa caacl-mod are the --cacat, --profilecat, --usercat, --hostcat, and --servicecat options. For a description of these options, see the section called “Creating CA ACLs”.

Disabling and Enabling CA ACLs

To disable a CA ACL, use the ipa caacl-disable command:
$ ipa caacl-disable ca_acl_name
---------------------------
Disabled CA ACL "ca_acl_name"
---------------------------
A disabled CA ACL is not applied and cannot be used to request a certificate. Disabling a CA ACL does not remove it from IdM.
To enable a disabled CA ACL, use the ipa caacl-enable command:
$ ipa caacl-enable ca_acl_name
---------------------------
Enabled CA ACL "ca_acl_name"
---------------------------

Deleting CA ACLs

To remove an existing CA ACL, use the ipa caacl-del command:
$ ipa caacl-del ca_acl_name

Adding Entries to CA ACLs and Removing Entries from CA ACLs

Using the ipa caacl-add-* and ipa caacl-remove-* commands, you can add new entries to a CA ACL or remove existing entries.
ipa caacl-add-ca and ipa caacl-remove-ca
Adds or removes a CA.
ipa caacl-add-host and ipa caacl-remove-host
Adds or removes a host or host group.
ipa caacl-add-profile and ipa caacl-remove-profile
Adds or removes a profile.
ipa caacl-add-service and ipa caacl-remove-service
Adds or removes a service.
ipa caacl-add-user and ipa caacl-remove-user
Adds or removes a user or group.
For example:
$ ipa caacl-add-user ca_acl_name --groups=group_name
Note that it is not possible to add an object or a group of objects to a CA ACL and also use a category of the same object, as described in the section called “Creating CA ACLs”; these settings are mutually exclusive. For example, if you attempt to run the ipa caacl-add-user --users=user_name command on a CA ACL specified with the --usercat=all option, the command fails:
$ ipa caacl-add-user ca_acl_name --users=user_name
ipa: ERROR: users cannot be added when user category='all'
Note
Requesting a certificate for a user or group using a certificate profile fails if the user or group are not added to the corresponding CA ACL. For example:
$ ipa cert-request CSR-FILE --principal user --profile-id profile_id
ipa: ERROR Insufficient access: Principal 'user' is not permitted to use CA '.' with profile 'profile_id' for certificate issuance.
You must either add the user or group to the CA ACL, or associate the CA ACL with the all user category, as described in the section called “Creating CA ACLs”.
For detailed information on the required syntax for these commands and the available options, run the commands with the --help option added. For example:
$ ipa caacl-add-user --help

24.5.2. CA ACL Management from the Web UI

To manage CA ACLs from the IdM web UI:
  1. Open the Authentication tab and the Certificates subtab.
  2. Open the CA ACLs section.

    Figure 24.9. CA ACL Rules Management in the Web UI

    CA ACL Rules Management in the Web UI
In the CA ACLs section, you can add new CA ACLs, display information about existing CA ACLs, modify their attributes, as well as enable, disable, or delete selected CA ACLs.
For example, to modify an existing CA ACL:
  1. Click on the name of the CA ACL to open the CA ACL configuration page.
  2. In the CA ACL configuration page, fill in the required information.
    The Profiles and Permitted to have certificates issued sections allow you to associate the CA ACL with certificate profiles, users or user groups, hosts or host groups, or services. You can either add these objects using the Add buttons, or select the Anyone option to associate the CA ACL with all users, hosts, or services.
  3. Click Save to confirm the new configuration.

    Figure 24.10. Modifying a CA ACL Rule in the Web UI

    Modifying a CA ACL Rule in the Web UI