Fantastic thank you! On 16 Mar 2016 12:21 a.m., "Fraser Tweedale" <[email protected]> wrote:
> On Tue, Mar 15, 2016 at 09:39:12AM +0000, Alessandro De Maria wrote: > > Thank you Martin that's very helpful. > > > > The annoying thing about cut/paste from web ui is that the cert is not > > wrapped at 60 chars like it should be, but I guess I'll have to wait for > > the save certificate functionality. > > Any idea of then that's planned for? > > > > Regards > > Alessandro > > > Hi Alessandro, > > The easiest way to get the cert is with the `ipa user-show` (if > it was saved to the IPA direct after issuance, which is controlled > by the `store` option Martin mentioned). E.g.: > > ipa user-show alice --out=cert.pem > > Which will save alice's certificate(s) to the file `cert.pem`. > > If you copy the data from the web UI and save it to a file, the > following will convert it to PEM: > > base64 -d < cert.txt | openssl x509 -inform DER > cert.pem > > Finally, to configure a profile to issue certificates with a > validity of X days, the relevant profile configuration is: > > policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl > policyset.serverCertSet.2.constraint.name=Validity Constraint > policyset.serverCertSet.2.constraint.params.range=740 > policyset.serverCertSet.2.constraint.params.notBeforeCheck=false > policyset.serverCertSet.2.constraint.params.notAfterCheck=false > policyset.serverCertSet.2.default.class_id=validityDefaultImpl > policyset.serverCertSet.2.default.name=Validity Default > policyset.serverCertSet.2.default.params.range=X > policyset.serverCertSet.2.default.params.startTime=0 > > Replace `X` above with the desired lifetime in days. (Note that the > index (`2`, above) may be different for different profiles.) > > Cheers, > Fraser > > > On 15 March 2016 at 08:50, Martin Babinsky <[email protected]> wrote: > > > > > On 03/15/2016 08:39 AM, Alessandro De Maria wrote: > > > > > >> Hello, > > >> > > >> I would like to have authenticated users to upload a csr request and > > >> have their certificate automatically signed. Their certificate would > > >> expire in x days. > > >> > > >> Given the short life of the certificate, I would then like them to be > > >> able to easily download the certificate. > > >> > > >> Any suggestion on how to do it? > > >> I would prefer the shell script approach but also having it self > > >> serviced on the web ui would be great. > > >> > > >> Regards > > >> > > >> > > >> -- > > >> Alessandro De Maria > > >> [email protected] <mailto:[email protected]> > > >> > > >> > > >> > > > Hi Alessandro, > > > > > > for FreeIPA 4.2+ you can use the following links as a guide to set up a > > > custom profile and CA ACL rules so that users can request certificates > for > > > themselves: > > > > > > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test > > > > > > > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ > > > > > > The user then can generate CSR request e.g. using OpenSSL and use 'ipa > > > cert-request' to send it to IPA CA. If you specify 'store=True' when > adding > > > the custom certificate profile, the certificate will be added to the > user > > > entry as 'usercertificate;binary' attribute which he can view from > > > CLI/WebUI as PEM and save it to a file by copy-pasting it (The > > > functionality to save the certificate directly to a file is under > > > development). > > > > > > It should be possible to modify the certificate profile to restrict the > > > maximum validity of the issued certificate but I have no knowledge > about > > > that. I have CC'ed Fraser Tweedale (the blog post author), he may help > you > > > with this. > > > > > > -- > > > Martin^3 Babinsky > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > -- > > Alessandro De Maria > > [email protected] > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
