24.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs
Issuing Certificates to Users from the Command Line
- Create or import a new custom certificate profile for handling requests for user certificates. For example:
$ ipa certprofile-import certificate_profile --file=certificate_profile.cfg --store=True
- Add a new Certificate Authority (CA) ACL that will be used to permit requesting certificates for user entries. For example:
$ ipa caacl-add users_certificate_profile --usercat=all
- Add the custom certificate profile to the CA ACL.
$ ipa caacl-add-profile users_certificate_profile --certprofiles=certificate_profile
- Generate a certificate request for the user. For example, using OpenSSL:
$ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.csr -subj '/CN=user'
- Run the ipa cert-request command to have the IdM CA issue a new certificate for the user.
$ ipa cert-request cert.csr --principal=user --profile-id=certificate_profileOptionally pass the
--ca sub-CA_nameoption to the command to request the certificate from a sub-CA instead of the root CA
$ ipa user-show user User login: user ... Certificate: MIICfzCCAWcCAQA... ...
Issuing Certificates to Users in the Web UI
- Create or import a new custom certificate profile for handling requests for user certificates. Importing profiles is only possible from the command line, for example:
$ ipa certprofile-import certificate_profile --file=certificate_profile.txt --store=TrueFor information about certificate profiles, see Section 24.4, “Certificate Profiles”.
- In the web UI, under the Authentication tab, open the CA ACLs section.
Figure 24.11. CA ACL Rules Management in the Web UIClick Add at the top of the list of Certificate Authority (CA) ACLs to add a new CA ACL that permits requesting certificates for user entries.
- In the Add CA ACL window that opens, fill in the required information about the new CA ACL.
Figure 24.12. Adding a New CA ACLThen, click Add and Edit to go directly to the CA ACL configuration page.
- In the CA ACL configuration page, scroll to the Profiles section and click Add at the top of the profiles list.
Figure 24.13. Adding a Certificate Profile to the CA ACL
- Add the custom certificate profile to the CA ACL by selecting the profile and moving it to the Prospective column.
Figure 24.14. Selecting a Certificate ProfileThen, click Add.
- Scroll to the Permitted to have certificates issued section to associate the CA ACL with users or user groups.You can either add users or groups using the Add buttons, or select the Anyone option to associate the CA ACL with all users.
Figure 24.15. Adding Users to the CA ACL
- In the Permitted to have certificates issued section, you can associate the CA ACL with one or more CAs.You can either add CAs using the Add button, or select the Any CA option to associate the CA ACL with all CAs.
Figure 24.16. Adding CAs to the CA ACL
- At the top of the CA ACL configuration page, click Save to confirm the changes to the CA ACL.
- Request a new certificate for the user.
- Under the Identity tab and the Users subtab, choose the user for whom the certificate will be requested. Click on the user's user name to open the user entry configuration page.
- Click Actions at the top of the user configuration page, and then click New Certificate.
Figure 24.17. Requesting a Certificate for a User
- Fill in the required information.
Figure 24.18. Issuing a Certificate for a UserThen, click Issue.