Bug 1570482

Summary: Document certificate profiles creation, modification, and management for RHEL IdM
Product: Red Hat Enterprise Linux 7 Reporter: Alexander Bokovoy <abokovoy>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Marc Muehlfeld <mmuehlfe>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.5CC: jswensso, mkosek, rhel-docs
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-16 07:32:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1576720    
Bug Blocks:    

Description Alexander Bokovoy 2018-04-23 04:13:49 UTC 
RHEL documentation on IdM side is lacking a clear explanation on what OIDs are included in the default certificate profiles and how to specify them using recommended methods.

In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 24 "Managing Certificates for Users, Hosts, and Services" only covers how to issue certificates using 'ipa cert-request' without explanation of its parameters. It does not refer to certmonger documentation at all.

It doesn't provide any table with OIDs from the default profile in IPA. There is a reference to the defaults for profiles in RHCS documentation but it is very easy to miss.
Comment 4 Marc Muehlfeld 2019-03-19 12:39:00 UTC 
I need some help to update the documentation.


(In reply to Alexander Bokovoy from comment #0)
> RHEL documentation on IdM side is lacking a clear explanation on what OIDs
> are included in the default certificate profiles and how to specify them
> using recommended methods.

Can you please provide me the what OIDs are included and details how to specify them?



> In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 24
> "Managing Certificates for Users, Hosts, and Services" only covers how to
> issue certificates using 'ipa cert-request' without explanation of its
> parameters. It does not refer to certmonger documentation at all.

What parameters should be explained? Only --profile-id= or all? Can you provide me the information that should be added to the docs?

To what certmonger docs should chapter 24 refer? To https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/certmongerx ?



> There is a reference to the defaults for profiles in RHCS documentation but
> it is very easy to miss.

I can move the
> For details on supported certificate profile configuration, see Defaults Reference and Constraints Reference in the Red Hat Certificate System Administration Guide.
paragraph to a new small separate section ("Creating a Certificate Profile"). Then it's easier to find.
Comment 7 Alexander Bokovoy 2019-04-10 04:05:11 UTC 
The problem with documenting OIDs is that they are coming from Dogtag and while FreeIPA is using Dogtag profiles, it doesn't define them itself. So it is probably better to have that information clearly referenced in Dogtag documentation and then linked to IdM guide.

For certmoner docs reference you are linking the right chapter, thanks.
Comment 10 Marc Muehlfeld 2019-04-15 15:22:37 UTC 
All previews are temporary.(In reply to Alexander Bokovoy from comment #0)
> In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 24
> "Managing Certificates for Users, Hosts, and Services" only covers how to
> issue certificates using 'ipa cert-request' without explanation of its
> parameters.

Step 3 in http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-branch-mmuehlfe_1570482/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#requesting-cert-certutil explains the other available options of "ipa cert-request".


> It does not refer to certmonger documentation at all.

I've added "24.1.1.3. Requesting New Certificates Using Certmonger":
http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-branch-mmuehlfe_1570482/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#reqesting-new-certificates-using-certmonger


> It doesn't provide any table with OIDs from the default profile in IPA.
> There is a reference to the defaults for profiles in RHCS documentation but
> it is very easy to miss.

I linked the RHCS docs in the new "24.4.1. Creating a Certificate Profile" section:

http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-branch-mmuehlfe_1570482/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#creating-a-certificate-profile


Alexander, do these enhancements cover the docs updates you requested or does anything else needs to be added or explained?
Comment 11 Alexander Bokovoy 2019-04-15 15:37:21 UTC 
Yes, this all now looks quite good. The only odd thing I noticed is "24.1.1.2. Requesting New Certificates Using openSSL". I think it would be good to change this to "24.1.1.2. Preparing a certificate request with multiple SAN fields using openSSL" and mention that the resulting certificate request can be used with 'ipa cert-request' command.
Comment 13 Marc Muehlfeld 2019-04-16 07:32:40 UTC 
The update is now available on the Customer Portal.