Chapter 10. Configuring authentication with a certificate stored on the desktop of an IdM client
By configuring Identity Management (IdM), IdM system administrators can enable users to authenticate to the IdM web UI and command-line interface (CLI) using a certificate that a Certificate Authority (CA) has issued to the users.
The web browser can run on a system that is not part of the IdM domain.
This user story provides instructions on how to effectively configure and test logging into Identity Management web UI and CLI with a certificate stored on the desktop of an IdM client. In following this user story,
- you can skip Requesting a new user certificate and exporting it to the client if the user you want to authenticate using a certificate already has a certificate;
- you can skip Making sure the certificate and user are linked together if the user’s certificate has been issued by the IdM CA.
Only Identity Management users can log into the web UI using a certificate. Active Directory users can log in with their user name and password.
10.1. Configuring the Identity Management Server for Certificate Authentication in the Web UI
As an Identity Management (IdM) administrator, you can allow users to use certificates to authenticate to your IdM environment.
As the Identity Management administrator:
On an Identity Management server, obtain administrator privileges and create a shell script to configure the server.
ipa-advise config-server-for-smart-card-authcommand, and save its output to a file, for example
# kinit admin # ipa-advise config-server-for-smart-card-auth >
Add execute permissions to the file using the
# chmod +x
On all the servers in the Identity Management domain, run the
with the path of the IdM Certificate Authority certificate,
/etc/ipa/ca.crt, as input if the IdM CA is the only certificate authority that has issued the certificates of the users you want to enable certificate authentication for:
with the paths leading to the relevant CA certificates as input if different external CAs signed the certificates of the users who you want to enable certificate authentication for:
Do not forget to run the script on each new replica that you add to the system in the future if you want to have certificate authentication for users enabled in the whole topology.
10.2. Requesting a new user certificate and exporting it to the client
As an Identity Management (IdM) administrator, you can create certificates for users in your IdM environment and export them to the IdM clients on which you want to enable certificate authentication for users.
You can skip this section if the user you want to authenticate using a certificate already has a certificate.
Optionally, create a new directory, for example
~/certdb/, and make it a temporary certificate database. When asked, create an NSS Certificate DB password to encrypt the keys to the certificate to be generated in a subsequent step:
~/certdb/# certutil -N -d
~/certdb/Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password:
Create the certificate signing request (CSR) and redirect the output to a file. For example, to create a CSR with the name
4096bit certificate for the
idm_useruser in the
IDM.EXAMPLE.COMrealm, setting the nickname of the certificate private keys to
idm_userfor easy findability, and setting the subject to
# certutil -R -d
When prompted, enter the same password that you entered when using
certutilto create the temporary database. Then continue typing randlomly until told to stop:
Enter Password or Pin for "NSS Certificate DB": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full:
Submit the certificate request file to the server. Specify the Kerberos principal to associate with the newly-issued certificate, the output file to store the certificate, and optionally the certificate profile. For example, to obtain a certificate of the
IECUserRolesprofile, a profile with added user roles extension, for the
IDM.EXAMPLE.COMprincipal, and save it in the
# ipa cert-request
Add the certificate to the NSS database. Use the
-noption to set the same nickname that you used when creating the CSR previously so that the certificate matches the private key in the NSS database. The
-toption sets the trust level. For details, see the certutil(1) man page. The
-ioption specifies the input certificate file. For example, to add to the NSS database a certificate with the
idm_usernickname that is stored in the
~/idm_user.pemfile in the
# certutil -A -d
idm_user-t "P,," -i
Verify that the key in the NSS database does not show
(orphan)as its nickname. For example, to verify that the certificate stored in the
~/certdb/database is not orphaned:
# certutil -K -d
~/certdb/< 0> rsa 5ad14d41463b87a095b1896cf0068ccc467df395 NSS Certificate DB:idm_user
pk12utilcommand to export the certificate from the NSS database to the PKCS12 format. For example, to export the certificate with the
idm_usernickname from the
/root/certdbNSS database into the
# pk12util -d
idm_userEnter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL
Transfer the certificate to the host on which you want the certificate authentication for
idm_userto be enabled:
On the host to which the certificate has been transferred, make the directory in which the .pkcs12 file is stored inaccessible to the 'other' group for security reasons:
# chmod o-rwx
For security reasons, remove the temporary NSS database and the .pkcs12 file from the server:
10.4. Configuring a browser to enable certificate authentication
To be able to authenticate with a certificate when using the WebUI to log into Identity Management (IdM), you need to import the user and the relevant certificate authority (CA) certificates into the Mozilla Firefox or Google Chrome browser. The host itself on which the browser is running does not have to be part of the IdM domain.
IdM supports the following browsers for connecting to the WebUI:
- Mozilla Firefox 38 and later
- Google Chrome 46 and later
The following procedure shows how to configure the Mozilla Firefox 57.0.1 browser.
- You have the user certificate that you want to import to the browser at your disposal in the PKCS#12 format.
Open Firefox, then navigate to
Privacy & Security.
Figure 10.1. Privacy and Security section in Preferences
Click View Certificates.
Figure 10.2. View Certificates in Privacy and Security
Your Certificatestab, click Import. Locate and open the certificate of the user in the PKCS12 format, then click OK and OK.
Make sure that the Identity Management Certificate Authority is recognized by Firefox as a trusted authority:
Save the IdM CA certificate locally:
Navigate to the IdM web UI by writing the name of your IdM server in the Firefox address bar. Click
Advancedon the Insecure Connection warning page.
Figure 10.3. Insecure Connection
Add Exception. Click
Figure 10.4. View the Details of a Certificate
Detailstab, highlight the
Figure 10.5. Exporting the CA Certificate
Click Export. Save the CA certificate, for example as the
CertificateAuthority.crtfile, then click Close, and Cancel.
Import the IdM CA certificate to Firefox as a trusted certificate authority certificate:
Open Firefox, navigate to Preferences and click Privacy & Security.
Figure 10.6. Privacy and Security section in Preferences
Click View Certificates.
Figure 10.7. View Certificates in Privacy and Security
Authoritiestab, click Import. Locate and open the CA certificate that you saved in the previous step in the
CertificateAuthority.crtfile. Trust the certificate to identify websites, then click OK and OK.
- Continue to Authenticating to the Identity Management Web UI with a Certificate as an Identity Management User.
10.5. Authenticating to the Identity Management Web UI with a Certificate as an Identity Management User
This procedure describes authenticating as a user to the Identity Management (IdM) web UI using a certificate stored on the desktop of an Identity Management client.
In the browser, navigate to the Identity Management web UI at, for example,
Click Login Using Certificate.
.Login Using Certificate in the Identity Management web UI
- The user’s certificate should already be selected. Uncheck Remember this decision, then click OK.
You are now authenticated as the user who corresponds to the certificate.
10.6. Configuring an IdM client to enable authenticating to the CLI using a certificate
To make certificate authentication work for an IdM user in the Command Line Interface (CLI) of your IdM client, import the IdM user’s certificate and the private key to the IdM client. For details on creating and transferring the user certificate, see Requesting a new user certificate and exporting it to the client.
Log into the IdM client and have the .p12 file containing the user’s certificate and the private key ready. To obtain and cache the Kerberos ticket granting ticket (TGT), run the
kinitcommand with the user’s principal, using the
-Xoption with the
X509_username:/path/to/file.p12attribute to specify where to find the user’s X509 identity information. For example, to obtain the TGT for
idm_userusing the user’s identity information stored in the
$ kinit -X X509_idm_user='PKCS12:~/idm_user.p12' idm_userNote
The command also supports the .pem file format: kinit -X X509_username='FILE:/path/to/cert.pem,/path/to/key' user_principal