Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

24.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs

Users can request certificates for themselves when permitted by the Certificate Authority access control lists (CA ACLs). The following procedures use certificate profiles and CA ACLs, which are described separately in Section 24.4, “Certificate Profiles” and Section 24.5, “Certificate Authority ACL Rules”. For more details about using certificate profiles and CA ACLs, see these sections.

Issuing Certificates to Users from the Command Line

  1. Create or import a new custom certificate profile for handling requests for user certificates. For example:
    $ ipa certprofile-import certificate_profile --file=certificate_profile.cfg --store=True
    
  2. Add a new Certificate Authority (CA) ACL that will be used to permit requesting certificates for user entries. For example:
    $ ipa caacl-add users_certificate_profile --usercat=all
    
  3. Add the custom certificate profile to the CA ACL.
    $ ipa caacl-add-profile users_certificate_profile --certprofiles=certificate_profile
  4. Generate a certificate request for the user. For example, using OpenSSL:
    $ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.csr -subj '/CN=user'
    
  5. Run the ipa cert-request command to have the IdM CA issue a new certificate for the user.
    $ ipa cert-request cert.csr --principal=user --profile-id=certificate_profile
    Optionally pass the --ca sub-CA_name option to the command to request the certificate from a sub-CA instead of the root CA ipa.
To make sure the newly-issued certificate is assigned to the user, you can use the ipa user-show command:
$ ipa user-show user
  User login: user
  ...
  Certificate: MIICfzCCAWcCAQA...
  ...

Issuing Certificates to Users in the Web UI

  1. Create or import a new custom certificate profile for handling requests for user certificates. Importing profiles is only possible from the command line, for example:
    $ ipa certprofile-import certificate_profile --file=certificate_profile.txt --store=True
    
    For information about certificate profiles, see Section 24.4, “Certificate Profiles”.
  2. In the web UI, under the Authentication tab, open the CA ACLs section.
    CA ACL Rules Management in the Web UI

    Figure 24.11. CA ACL Rules Management in the Web UI

    Click Add at the top of the list of Certificate Authority (CA) ACLs to add a new CA ACL that permits requesting certificates for user entries.
    1. In the Add CA ACL window that opens, fill in the required information about the new CA ACL.
      Adding a New CA ACL

      Figure 24.12. Adding a New CA ACL

      Then, click Add and Edit to go directly to the CA ACL configuration page.
    2. In the CA ACL configuration page, scroll to the Profiles section and click Add at the top of the profiles list.
      Adding a Certificate Profile to the CA ACL

      Figure 24.13. Adding a Certificate Profile to the CA ACL

    3. Add the custom certificate profile to the CA ACL by selecting the profile and moving it to the Prospective column.
      Selecting a Certificate Profile

      Figure 24.14. Selecting a Certificate Profile

      Then, click Add.
    4. Scroll to the Permitted to have certificates issued section to associate the CA ACL with users or user groups.
      You can either add users or groups using the Add buttons, or select the Anyone option to associate the CA ACL with all users.
      Adding Users to the CA ACL

      Figure 24.15. Adding Users to the CA ACL

    5. In the Permitted to have certificates issued section, you can associate the CA ACL with one or more CAs.
      You can either add CAs using the Add button, or select the Any CA option to associate the CA ACL with all CAs.
      Adding CAs to the CA ACL

      Figure 24.16. Adding CAs to the CA ACL

    6. At the top of the CA ACL configuration page, click Save to confirm the changes to the CA ACL.
  3. Request a new certificate for the user.
    1. Under the Identity tab and the Users subtab, choose the user for whom the certificate will be requested. Click on the user's user name to open the user entry configuration page.
    2. Click Actions at the top of the user configuration page, and then click New Certificate.
      Requesting a Certificate for a User

      Figure 24.17. Requesting a Certificate for a User

    3. Fill in the required information.
      Issuing a Certificate for a User

      Figure 24.18. Issuing a Certificate for a User

      Then, click Issue.
After this, the newly issued certificate is visible in the user configuration page.