Would anyone happen to have any guides on how one could get through this process? I'm a one-man IT shop at the moment, so I'm building up a tremendous amount of infrastructure at once. I'm thinking that the option of creating a subCA with something simple like openssl would be the best option, but figuring out that process in a minimal amount of time is going to be tough.
I'm going to try and give myself some reading assignments and push that forward, but if anyone happens to have a good handle on that process/commands/etc. and would be interesting in double a couple of hours of consulting to me, I would be very interested in listening provided we could come up with a reasonable rate/timeframe. If anyone is interested, please contact me directly off-list. Thanks again. These answers/ideas have been most helpful. On Fri, Feb 6, 2015 at 9:30 AM, Martin Kosek <[email protected]> wrote: > On 02/06/2015 12:53 AM, Christopher Young wrote: > > Obvious next question: Any plans to implement that functionality or > advice > > on how one might get some level of functionality for this? Would it be > > possible to create another command-line based openssl CA that could issue > > these but using IPA as the root CA for those? > > As for FreeIPA plans, we plan to vastly improve our flexibility to process > certificates in next upstream version - FreeIPA 4.2. In next version, one > should be able to create other certificate profiles (from FreeIPA default > service cert profile) or even subCAs to do what you want. > > As for current workarounds, you would have to issue and sign a for example > NSS > or openssl based subCA and then sign user certs there. But I would leave > Fraser > or Jan to tell if this would be really possible. > > > I'm just trying to provide a solution for situations where we would like > to > > utilize client/user cert authentication for situations like secure apache > > directory access as well as user VPN certificates. Any advise or ideas > are > > great appreciated. > > > > Thanks again! > > > > On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden <[email protected]> > wrote: > > > >> Christopher Young wrote: > >>> Some of this might be rudimentary, so I apologize if this is answered > >>> somewhere, though I've tried to search and have not had much luck... > >>> > >>> Basically, I would like to be able to issue user certificates > (Subject: > >>> [email protected]) in order to use client SSL security on > >>> some things. I'm very new to FreeIPA, but have worked with external > CAs > >>> in the past for similar requests, however this is my first entry into > >>> creating/running a localized CA within an organization. > >> > >> IPA doesn't issue user certificates yet, only server certificates. > >> > >>> I was wondering if this is possible via the command line, and if so, > how > >>> to go about submitting the request and receiving the certificate. Any > >>> guidance or assistance would be greatly appreciated! > >>> > >>> > >>> Additionally, just as a matter of cleanliness, is there any way > possible > >>> to just completely wipe out the existence of a certificate/request from > >>> FreeIPA. I have done some trial-and-error and obviously have made > >>> mistakes that I'd prefer to clean up after. I've revoked those certs, > >>> however the perfectionist in me hates seeing them there. I'm quite > >>> certain the answer is 'no', but I thought I would ask anyway. > >> > >> Right, the answer is no. In fact it is a good thing that all > >> certificates are accounted for. > >> > >> rob > >> > >> > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
