Chapter 39. Managing certificates for users, hosts, and services using the integrated IdM CA

This chapter describes how to manage certificates in Identity Management (IdM) using the integrated CA, the ipa CA, and its sub-CAs.

This chapter contains the following sections:

You can also request new certificates for a service from the IdM CA using the certmonger utility. For more information, see Requesting new certificates for a service from IdM CA using certmonger.

Prerequisites

39.1. Requesting new certificates for a user, host, or service using IdM Web UI

This section describes how to use the Identity Management (IdM) Web UI to request a new certificate for any IdM entity from the integrated IdM certificate authorities (CAs): the ipa CA or any of its sub-CAs.

IdM entities include:

  • Users
  • Hosts
  • Services
Important

Services typically run on dedicated service nodes on which the private keys are stored. Copying a service’s private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the certificate signing request (CSR) on the service node.

Prerequisites

  • Your IdM deployment contains an integrated CA.
  • You are logged into the IdM Web UI as the IdM administrator.

Procedure

  1. Under the Identity tab, select the Users, Hosts, or Services subtab.
  2. Click the name of the user, host, or service to open its configuration page.

    Figure 39.1. List of Hosts

    hosts list
  3. Click ActionsNew Certificate.
  4. Optional: Select the issuing CA and profile ID.
  5. Follow the instructions for using the certutil command-line (CLI) utility on the screen.
  6. Click Issue.

39.2. Requesting new certificates for a user, host, or service from IdM CA using certutil

You can use the certutil utility to request a certificate for an Identity Management (IdM) user, host or service in standard IdM situations. To ensure that a host or service Kerberos alias can use a certificate, use the openssl utility to request a certificate instead.

This section describes how to request a certificate for an IdM user, host, or service from ipa, the IdM certificate authority (CA), using certutil.

Important

Services typically run on dedicated service nodes on which the private keys are stored. Copying a service’s private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the certificate signing request (CSR) on the service node.

Prerequisites

  • Your IdM deployment contains an integrated CA.
  • You are logged into the IdM command-line interface (CLI) as the IdM administrator.

Procedure

  1. Create a temporary directory for the certificate database:

    # mkdir ~/certdb/
  2. Create a new temporary certificate database, for example:

    # certutil -N -d ~/certdb/
  3. Create the CSR and redirect the output to a file. For example, to create a CSR for a 4096 bit certificate and to set the subject to CN=server.example.com,O=EXAMPLE.COM:

    # certutil -R -d ~/certdb/ -a -g 4096 -s "CN=server.example.com,O=EXAMPLE.COM" -8 server.example.com > certificate_request.csr
  4. Submit the certificate request file to the CA running on the IdM server. Specify the Kerberos principal to associate with the newly-issued certificate:

    # ipa cert-request certificate_request.csr --principal=host/server.example.com

    The ipa cert-request command in IdM uses the following defaults:

    • The caIPAserviceCert certificate profile

      To select a custom profile, use the --profile-id option.

    • The integrated IdM root CA, ipa

      To select a sub-CA, use the --ca option.

Additional resources

39.3. Requesting new certificates for a user, host, or service from IdM CA using openssl

You can use the openssl utility to request a certificate for an Identity Management (IdM) host or service if you want to ensure that the Kerberos alias of the host or service can use the certificate. In standard situations, consider requesting a new certificate using the certutil utility instead.

This section describes how to request a certificate for an IdM host, or service from ipa, the IdM certificate authority, using openssl.

Important

Services typically run on dedicated service nodes on which the private keys are stored. Copying a service’s private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the certificate signing request (CSR) on the service node.

Prerequisites

  • Your IdM deployment contains an integrated CA.
  • You are logged into the IdM command-line interface (CLI) as the IdM administrator.

Procedure

  1. Create one or more aliases for your Kerberos principal test/server.example.com. For example, test1/server.example.com and test2/server.example.com.
  2. In the CSR, add a subjectAltName for dnsName (server.example.com) and otherName (test2/server.example.com). To do this, configure the openssl.conf file to include the following line specifying the UPN otherName and subjectAltName:

    otherName=1.3.6.1.4.1.311.20.2.3;UTF8:test2/server.example.com@EXAMPLE.COM
    DNS.1 = server.example.com
  3. Create a certificate request using openssl:

    openssl req -new -newkey rsa:2048 -keyout test2service.key -sha256 -nodes -out certificate_request.csr -config openssl.conf
  4. Submit the certificate request file to the CA running on the IdM server. Specify the Kerberos principal to associate with the newly-issued certificate:

    # ipa cert-request certificate_request.csr --principal=host/server.example.com

    The ipa cert-request command in IdM uses the following defaults:

    • The caIPAserviceCert certificate profile

      To select a custom profile, use the --profile-id option.

    • The integrated IdM root CA, ipa

      To select a sub-CA, use the --ca option.

Additional resources

39.4. Additional resources