How can we create a CA-less Identity Managment setup?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Identity-Management (IPA)

Issue

  • We don't want to setup an embedded Certificate Authority with IdM
  • We prefer to have the server certificate signed by an external CA

Resolution

Please note, the following example uses OpenSSL to create the certificate signing request (CSR) and uses the same key and certificate for the http and directory servers.

1) First create the private key and the CSR

# mkdir /root/certs 
# openssl genrsa -out /root/certs/http.$(hostname).key 2048

# openssl req  \
-key /root/certs/http.idm.example.com.key \
-out /root/certs/$(hostname -f).csr -new

2) Send the resulting csr file to your Certificate Authority to get the CSR signed.

3) Install the Identity-Management framework with the certificate you received back from the CA, the certificate key file as well as the CA certificate chain of the CA that issued your server certificate.

# ipa-server-install --http-cert-file /root/certs/http.idm.example.com.crt \
--http-cert-file /root/certs/http.idm.example.com.key \
--http-pin <your HTTPD PIN>\
--dirsrv-cert-file /root/certs/http.idm.example.com.crt \
--dirsrv-cert-file /root/certs/http.idm.example.com.key \
--dirsrv-pin <our DS PIN> --ca-cert-file ca-chain.p7b \
 -n example.com -r EXAMPLE.COM

Root Cause

In some setups, it may not be possible to install a Dogtag based certificate service with the Identity Management server. In that case, it is possible to install Identity Management without an integrated Certificate System instance, as long as all required certificates are created and installed independently.

A CA-less installation requires you to provide:

  • An LDAP server certificate and a private key
  • An Apache server certificate and a private key
  • Full CA certificate chain of the CA that issued the LDAP and Apache server certificates

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments