Ronald Wimmer wrote: > On 04.04.25 14:30, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> Is there a way to ensure that an IPA host certificate can only be used >>> on a specific device? Like one can do it with a TPM module? >>> >>> What other approaches would be feasible? >> >> Can you expand on what you're asking? What does "work" mean here? > > I do not see where I used the word "work" here... but I will explain my > use case a litte more in detail. > > What we want is a certificate that is used for VPN auth that > cannot/should not leave the device because we want to disallow VPN > connections for private devices. > >> I assume by mentioning TPM you want a secure place to store the private >> key so it can't be extracted? > > Yes. That is our intention. > >> IIRC there is a pkcs#11 driver for TPM so perhaps that could even work >> with certmonger. I've never tried. > Ok. I'll look into it. Would such a cert be managable via IPA?
The trouble you may have is that any IPA-enrolled host can obtain a certificate for itself or for its services. You can protect the private key on the TPM but IPA has no idea (or cares) where the private key lives. If it gets an authenticated request with a CSR for a valid IPA host or service then it will issue a certificate for it. There is not currently, to my knowledge, a way to layer on additional restrictions onto the certificate request. So if you are not allowing private devices (BYO laptop or phone for example) to enroll as an IPA client then that would be one way to restrict the certificates. If they can't get a certificate at all they can't use the VPN. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
