Bug 1313679

Summary: Section 14.2.3., specify that CSRs are generated on nodes, not on IdM server
Product: Red Hat Enterprise Linux 7 Reporter: Roland Wolters <rwolters>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Aneta Šteflová Petrová <apetrova>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: apetrova, mkosek, rhel-docs, rwolters
Target Milestone: rcKeywords: Documentation, EasyFix
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-29 07:23:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roland Wolters 2016-03-02 08:18:58 UTC
Description of problem:
The current documentation explains how to generate CSRs for services, but does not mention where these are usually generated - thus where the private keys are actually stored.
The examples in fact sag "server", which might lead to the impression that the private keys are stored on the IdM an that the CSRs have to be generated on the IdM.

However, in real life the private key for a service should stay on the node where the service is actually run - and not on the IdM. Thus the CSR should also be generated on the "service node".

Version-Release number of selected component (if applicable):
Revision 7.0-14

Additional info:
I suggest to add something like the following clarification to the introduction of 14.2.3. So that the paragraph:
"The certificate request must be generated with a third-party tool such as certutil. The resulting certificate request can be submitted through the IdM web UI or command-line tools.
The service must already exist for a certificate to be requested. If the service does not yet exist, then with the command line, there is an option to create the service as part of requesting the certificate."

is extended by a paragraph along the lines of:
"The service usually runs on a dedicated service node on which the private key is stored. The private key should not be copied to the IdM, so the CSR needs to be created on the service node itself, the following certutil commands need to be executed on the service-node."

Additionally, for better clarification it might make sense to change the following code examples in 14.2.3. from "server" to "service-node" in step 1. of 14.2.3.1. and 14.2.3.2.

Comment 5 Roland Wolters 2016-06-24 06:58:26 UTC
It is at least better than the original version. I would still have added a line saying that the certificate stays on a server different than the IdM, but this version is at least not as confusing as the original one. You can close if you want.

Comment 6 Aneta Šteflová Petrová 2016-06-24 07:04:21 UTC
Thanks for the update Roland. We will have a look at this BZ and make the change.

Comment 7 Aneta Šteflová Petrová 2016-06-30 08:22:25 UTC
I added an Important admonition to 17.1.1.:

----------
Services typically run on dedicated service nodes on which the private keys are stored. Copying a service's private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the CSR on the service node, not on the IdM server.
----------

Roland, is this okay?