Ronald Wimmer wrote: > On 04.04.25 15:12, Rob Crittenden wrote: >> Ronald Wimmer wrote: >>> On 04.04.25 14:30, Rob Crittenden via FreeIPA-users wrote: >>>> Ronald Wimmer via FreeIPA-users wrote: >>>>> Is there a way to ensure that an IPA host certificate can only be used >>>>> on a specific device? Like one can do it with a TPM module? >>>>> >>>>> What other approaches would be feasible? >>>> >>>> Can you expand on what you're asking? What does "work" mean here? >>> >>> I do not see where I used the word "work" here... but I will explain my >>> use case a litte more in detail. >>> >>> What we want is a certificate that is used for VPN auth that >>> cannot/should not leave the device because we want to disallow VPN >>> connections for private devices. >>> >>>> I assume by mentioning TPM you want a secure place to store the private >>>> key so it can't be extracted? >>> >>> Yes. That is our intention. >>> >>>> IIRC there is a pkcs#11 driver for TPM so perhaps that could even work >>>> with certmonger. I've never tried. >>> Ok. I'll look into it. Would such a cert be managable via IPA? >> >> The trouble you may have is that any IPA-enrolled host can obtain a >> certificate for itself or for its services. You can protect the private >> key on the TPM but IPA has no idea (or cares) where the private key >> lives. If it gets an authenticated request with a CSR for a valid IPA >> host or service then it will issue a certificate for it. >> >> There is not currently, to my knowledge, a way to layer on additional >> restrictions onto the certificate request. >> >> So if you are not allowing private devices (BYO laptop or phone for >> example) to enroll as an IPA client then that would be one way to >> restrict the certificates. If they can't get a certificate at all they >> can't use the VPN. > You are right. As the VPN Gateway has to trust IPA's CA this will be a > good way. (But one could still copy over such a cert plus key to another > host, right?)
Yes one could copy certificates and keys (assuming not on the TPM). I don't know how your VPN handles authentication. I'd be surprised it if would/could support validating that the originating host matches the subject of the certificate. This would be a NAT nightmare. But if you store the private key on the TPM then yeah, even if someone had a copy of the cert that would do them no good. But I have no idea whether a TPM can do that. What size keys are supported, etc. And it may vary by motherboard manufacturer, how virtual TPM would work, etc. It's a sticky problem for sure. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
