24.4. Certificate Profiles
- whether the CA can accept a certificate signing request (CSR)
- what features and extensions should be present on the certificate
IECUserRoles. In addition, custom profiles can be imported.
24.4.1. Creating a Certificate Profile
- The Setting up Certificate Profiles section explains how to create new certificate profiles and how they are constructed.
- The Defaults, Constraints, and Extensions for Certificates and CRLs appendix lists the object identifiers (OID) other fields you can use in a certificate profile.
24.4.2. Certificate Profile Management from the Command Line
certprofileplug-in for management of IdM profiles allows privileged users to import, modify, or remove IdM certificate profiles. To display all commands supported by the plug-in, run the ipa certprofile command:
$ ipa certprofile Manage Certificate Profiles ... EXAMPLES: Import a profile that will not store issued certificates: ipa certprofile-import ShortLivedUserCert \ --file UserCert.profile --desc "User Certificates" \ --store=false Delete a certificate profile: ipa certprofile-del ShortLivedUserCert ...
certprofileoperations, you must be operating as a user who has the required permissions. IdM includes the following certificate profile-related permissions by default:
- System: Read Certificate Profiles
- Enables users to read all profile attributes.
- System: Import Certificate Profile
- Enables users to import a certificate profile into IdM.
- System: Delete Certificate Profile
- Enables users to delete an existing certificate profile.
- System: Modify Certificate Profile
- Enables users to modify the profile attributes and to disable or enable the profile.
CA Administratorprivilege. For more information on IdM role-based access controls and managing permissions, see Section 10.4, “Defining Role-Based Access Controls”.
--profile-idoption can be added to the ipa cert-request command to specify which profile to use. If no profile ID is specified, the default
caIPAserviceCertprofile is used for the certificate.
--helpoption added, for example:
$ ipa certprofile-mod --help Usage: ipa [global-options] certprofile-mod ID [options] Modify Certificate Profile configuration. Options: -h, --help show this help message and exit --desc=STR Brief description of this profile --store=BOOL Whether to store certs issued using this profile ...
Importing Certificate Profiles
certprofile-importscript prompts your for the information required to import the certificate.
$ ipa certprofile-import Profile ID: smime Profile description: S/MIME certificates Store issued certificates [True]: TRUE Filename of a raw profile. The XML format is not supported.: smime.cfg ------------------------ Imported profile "smime" ------------------------ Profile ID: smime Profile description: S/MIME certificates Store issued certificates: TRUE
- This option passes the file containing the profile configuration directly to ipa certprofile-import. For example:
$ ipa certprofile-import --file=smime.cfg
- This option sets the
Store issued certificatesattribute. It accepts two values:
True, which delivers the issued certificates to the client and stores them in the target IdM principal's
False, which delivers the issued certificates to the client, but does not store them in IdM. This option is most commonly-used when issuing multiple short-term certificates is required.
--outoption, which exports a specified existing profile to a file. For example:
$ ipa certprofile-show caIPAserviceCert --out=file_name
Displaying Certificate Profiles
$ ipa certprofile-find ------------------ 3 profiles matched ------------------ Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE Profile ID: IECUserRoles ...
$ ipa certprofile-show profile_ID Profile ID: profile_ID Profile description: S/MIME certificates Store issued certificates: TRUE
Modifying Certificate Profiles
$ ipa certprofile-mod profile_ID --desc="New description" --store=False ------------------------------------ Modified Certificate Profile "profile_ID" ------------------------------------ Profile ID: profile_ID Profile description: New description Store issued certificates: FALSE
--fileoption. For example:
$ ipa certprofile-mod profile_ID --file=new_configuration.cfg
Deleting Certificate Profiles
$ ipa certprofile-del profile_ID ----------------------- Deleted profile "profile_ID" -----------------------
24.4.3. Certificate Profile Management from the Web UI
- Open the Authentication tab and the Certificates subtab.
- Open the Certificate Profiles section.
Figure 24.7. Certificate Profile Management in the Web UI
- Click on the name of the profile to open the profile configuration page.
- In the profile configuration page, fill in the required information.
- Clickto confirm the new configuration.
Figure 24.8. Modifying a Certificate Profile in the Web UI
Store issued certificatesoption, the issued certificates are delivered to the client as well as stored in the target IdM principal's
userCertificateattribute. If the option is disabled, the issued certificates are delivered to the client, but not stored in IdM. Storing certificates is often disabled when issuing multiple short-lived certificates is required.
- It is not possible to import a certificate profile in the web UI. To import a certificate, use the ipa certprofile-import command.
- It is not possible to set, add, or delete attribute and value pairs. To modify the attribute and value pairs, use the ipa certprofile-mod command.
- It is not possible to import updated certificate profile configuration. To import a file containing updated profile configuration, use the ipa certprofile-mod --file=file_name command.