Red Hat Training

A Red Hat training course is available for Red Hat Linux

Chapter 24. Managing Certificates for Users, Hosts, and Services

Identity Management (IdM) supports two types of certificate authorities (CAs):
Integrated IdM CA
Integrated CAs can create, revoke, and issue certificates for users, hosts, and services. For more details, see Section 24.1, “Managing Certificates with the Integrated IdM CAs”.
IdM supports creating lightweight sub-CAs. For more details, see Section 26.1, “Lightweight Sub-CAs”
External CA
An external CA is a CA other than the integrated IdM CA.
Using IdM tools, you add certificates issued by these CAs to users, services, or hosts as well as remove them. For more details, see Section 24.2, “Managing Certificates Issued by External CAs”.
Each user, host, or service can have multiple certificates assigned.

Note

For more details on the supported CA configurations of the IdM server, see Section 2.3.2, “Determining What CA Configuration to Use”.

24.1. Managing Certificates with the Integrated IdM CAs

24.1.1. Requesting New Certificates for a User, Host, or Service

To request a certificate using:
Note that you must generate the certificate request itself with a third-party tool. The following procedures use the certutil and openSSL utilities.

Important

Services typically run on dedicated service nodes on which the private keys are stored. Copying a service's private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the CSR on the service node.

Web UI: Requesting New Certificates

  1. Under the Identity tab, select the Users, Hosts, or Services subtab.
  2. Click the name of the user, host, or service to open its configuration page.
    List of Hosts

    Figure 24.1. List of Hosts

  3. Click ActionsNew Certificate.
  4. Optional: Select the issuing CA and profile ID.
  5. Follow the instructions on the screen for using certutil.
  6. Click Issue.

Command Line: Requesting New Certificates

Request a new certificate using certutil in standard situations - see Section 24.1.1.1, “Requesting New Certificates Using certutil”. Request a new certificate using openSSL to enable a Kerberos alias to use a host or service certificate - see Section 24.1.1.2, “Requesting New Certificates Using openSSL”.

24.1.1.1. Requesting New Certificates Using certutil

  1. Create a new temporary certificate database, for instance:
    # certutil -N -d ~/certdb/
  2. Create the certificate signing request (CSR) and redirect the output to a file. For example, to create a CSR for a 4096 bit certificate and to set the subject to CN=server.example.com,O=EXAMPLE.COM:
    # certutil -R -d ~/certdb/ -a -g 4096 -s "CN=server.example.com,O=EXAMPLE.COM" -8 server.example.com > certificate_request.csr
  3. Submit the certificate request file to the server. Be sure to specify the Kerberos principal to associate with the newly-issued certificate:
    # ipa cert-request certificate_request.csr --principal=host/server.example.com
IdM uses the following defaults:
  • Certificate profile: caIPAserviceCert
    To select a custom profile, use the --profile-id option with the ipa cert-request command.
  • Integrated CA: ipa (IdM root CA)
    To select a sub-CA, use the --ca option with the ipa cert-request command.

24.1.1.2. Requesting New Certificates Using openSSL

  1. Create one or more aliases, for example test1/server.example.com, test2/server.example.com, for your Kerberos principal test/server.example.com. See Section 20.2.1, “Kerberos Principal Alias” for more details.
  2. In the CSR, add a subjectAltName for dnsName (server.example.com) and otherName (test2/server.example.com). To do this, configure the openssl.conf file so that it includes the following line specifying the UPN otherName and subjectAltName:
    otherName=1.3.6.1.4.1.311.20.2.3;UTF8:test2/server.example.com@EXAMPLE.COM
    DNS.1 = server.example.com
  3. Create a certificate request using openssl:
    openssl req -new -newkey rsa:2048 -keyout test2service.key -sha256 -nodes -out certificate_request.csr -config openssl.conf

24.1.2. Revoking Certificates with the Integrated IdM CAs

If you need to invalidate the certificate before its expiration date, you can revoke it. To revoke a certificate using:
A revoked certificate is invalid and cannot be used for authentication. All revocations are permanent, except for reason 6: Certificate Hold.

Table 24.1. Revocation Reasons

ID Reason Explanation
0 Unspecified
1 Key Compromised
The key that issued the certificate is no longer trusted.
Possible causes: lost token, improperly accessed file.
2 CA Compromised The CA that issued the certificate is no longer trusted.
3 Affiliation Changed
Possible causes:
  • A person has left the company or moved to another department.
  • A host or service is being retired.
4 Superseded A newer certificate has replaced the current certificate.
5 Cessation of Operation The host or service is being decommissioned.
6 Certificate Hold The certificate is temporarily revoked. You can restore the certificate later.
8 Remove from CRL The certificate is not included in the certificate revocation list (CRL).
9 Privilege Withdrawn The user, host, or service is no longer permitted to use the certificate.
10 Attribute Authority (AA) Compromise The AA certificate is no longer trusted.

Web UI: Revoking Certificates

To revoke a certificate:
  1. Open the Authentication tab, and select the Certificates subtab.
  2. Click the serial number of the certificate to open the certificate information page.
    List of Certificates

    Figure 24.2. List of Certificates

  3. Click ActionsRevoke Certificate.
  4. Select the reason for revoking, and click Revoke. See Table 24.1, “Revocation Reasons” for details.

Command Line: Revoking Certificates

Use the ipa cert-revoke command, and specify:
For example, to revoke the certificate with serial number 1032 because of reason 1: Key Compromised:
$ ipa cert-revoke 1032 --revocation-reason=1

24.1.3. Restoring Certificates with the Integrated IdM CAs

If you have revoked a certificate because of reason 6: Certificate Hold, you can restore it again. To restore a certificate using:

Web UI: Restoring Certificates

  1. Open the Authentication tab, and select the Certificates subtab.
  2. Click the serial number of the certificate to open the certificate information page.
    List of Certificates

    Figure 24.3. List of Certificates

  3. Click ActionsRestore Certificate.

Command Line: Restoring Certificates

Use the ipa cert-remove-hold command and specify the certificate serial number. For example:
$ ipa cert-remove-hold 1032