24.4. Certificate Profiles
- whether the CA can accept a certificate signing request (CSR)
- what features and extensions should be present on the certificate
IECUserRoles. In addition, custom profiles can be imported.
24.4.1. Creating a Certificate Profile
- The Setting up Certificate Profiles section explains how to create new certificate profiles and how they are constructed.
- The Defaults, Constraints, and Extensions for Certificates and CRLs appendix lists the object identifiers (OID) other fields you can use in a certificate profile.
24.4.2. Certificate Profile Management from the Command Line
certprofileplug-in for management of IdM profiles allows privileged users to import, modify, or remove IdM certificate profiles. To display all commands supported by the plug-in, run the
$ ipa certprofile Manage Certificate Profiles ... EXAMPLES: Import a profile that will not store issued certificates: ipa certprofile-import ShortLivedUserCert \ --file UserCert.profile --desc "User Certificates" \ --store=false Delete a certificate profile: ipa certprofile-del ShortLivedUserCert ...
certprofileoperations, you must be operating as a user who has the required permissions. IdM includes the following certificate profile-related permissions by default:
- System: Read Certificate Profiles
- Enables users to read all profile attributes.
- System: Import Certificate Profile
- Enables users to import a certificate profile into IdM.
- System: Delete Certificate Profile
- Enables users to delete an existing certificate profile.
- System: Modify Certificate Profile
- Enables users to modify the profile attributes and to disable or enable the profile.
CA Administratorprivilege. For more information on IdM role-based access controls and managing permissions, see Section 10.4, “Defining Role-Based Access Controls”.
--profile-idoption can be added to the
ipa cert-requestcommand to specify which profile to use. If no profile ID is specified, the default
caIPAserviceCertprofile is used for the certificate.
ipa certprofilecommands for profile management. For complete information about a command, run it with the
--helpoption added, for example:
$ ipa certprofile-mod --help Usage: ipa [global-options] certprofile-mod ID [options] Modify Certificate Profile configuration. Options: -h, --help show this help message and exit --desc=STR Brief description of this profile --store=BOOL Whether to store certs issued using this profile ...
Importing Certificate Profiles
ipa certprofile-importcommand. Running the command without any options starts an interactive session in which the
certprofile-importscript prompts your for the information required to import the certificate.
$ ipa certprofile-import Profile ID: smime Profile description: S/MIME certificates Store issued certificates [True]: TRUE Filename of a raw profile. The XML format is not supported.: smime.cfg ------------------------ Imported profile "smime" ------------------------ Profile ID: smime Profile description: S/MIME certificates Store issued certificates: TRUE
ipa certprofile-importcommand accepts several command-line options. Most notably:
- This option passes the file containing the profile configuration directly to
ipa certprofile-import. For example:
$ ipa certprofile-import --file=smime.cfg
- This option sets the
Store issued certificatesattribute. It accepts two values:
True, which delivers the issued certificates to the client and stores them in the target IdM principal's
False, which delivers the issued certificates to the client, but does not store them in IdM. This option is most commonly-used when issuing multiple short-term certificates is required.
ipa certprofile-importis already in use or if the profile content is incorrect. For example, the import fails if a required attribute is missing or if the profile ID value defined in the supplied file does not match the profile ID specified with
ipa certprofile-showcommand with the
--outoption, which exports a specified existing profile to a file. For example:
$ ipa certprofile-show caIPAserviceCert --out=file_name
Displaying Certificate Profiles
$ ipa certprofile-find ------------------ 3 profiles matched ------------------ Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE Profile ID: IECUserRoles ...
$ ipa certprofile-show profile_ID Profile ID: profile_ID Profile description: S/MIME certificates Store issued certificates: TRUE
Modifying Certificate Profiles
ipa certprofile-modcommand. Pass the required modifications with the command using the command-line options accepted by
ipa certprofile-mod. For example, to modify the description of a profile and change whether IdM stores the issued certificates:
$ ipa certprofile-mod profile_ID --desc="New description" --store=False ------------------------------------ Modified Certificate Profile "profile_ID" ------------------------------------ Profile ID: profile_ID Profile description: New description Store issued certificates: FALSE
--fileoption. For example:
$ ipa certprofile-mod profile_ID --file=new_configuration.cfg
Deleting Certificate Profiles
$ ipa certprofile-del profile_ID ----------------------- Deleted profile "profile_ID" -----------------------
24.4.3. Certificate Profile Management from the Web UI
- Open the Authentication tab and the Certificates subtab.
- Open the Certificate Profiles section.
Figure 24.7. Certificate Profile Management in the Web UI
- Click on the name of the profile to open the profile configuration page.
- In the profile configuration page, fill in the required information.
- Clickto confirm the new configuration.
Figure 24.8. Modifying a Certificate Profile in the Web UI
Store issued certificatesoption, the issued certificates are delivered to the client as well as stored in the target IdM principal's
userCertificateattribute. If the option is disabled, the issued certificates are delivered to the client, but not stored in IdM. Storing certificates is often disabled when issuing multiple short-lived certificates is required.
- It is not possible to import a certificate profile in the web UI. To import a certificate, use the
- It is not possible to set, add, or delete attribute and value pairs. To modify the attribute and value pairs, use the
- It is not possible to import updated certificate profile configuration. To import a file containing updated profile configuration, use the
ipa certprofile-mod --file=file_namecommand.