RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1200694 - [RFE] Support for multiple cert profiles
Summary: [RFE] Support for multiple cert profiles
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On: 1200728 1248725
Blocks: 1181710
TreeView+ depends on / blocked
 
Reported: 2015-03-11 08:32 UTC by Martin Kosek
Modified: 2021-03-11 14:19 UTC (History)
6 users (show)

Fixed In Version: ipa-4.2.0-5.el7
Doc Type: Release Note
Doc Text:
Support for multiple certificate profiles and user certificates Identity Management now supports multiple profiles for issuing server and other certificates instead of only supporting a single server certificate profile. The profiles are stored in the Directory Server and shared between IdM replicas. In addition, the administrator can now issue certificates to individual users. Previously, it was only possible to issue certificates to hosts and services.
Clone Of:
: 1248469 (view as bug list)
Environment:
Last Closed: 2015-11-19 12:01:54 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Martin Kosek 2015-03-11 08:32:29 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/57

We currently support a single certificate profile, for issuing server certs. If we are going to need to issue certificates for other profiles (e.g. tickets #53, 55) then we need to add the plumbing for that.

Profiles will be stored in Dogtag. A small amount of metadata will be stored in FreeIPA's directory to track these profiles, store their current state (enabled, disabled) and mapping to groups that are allowed to use the profile.

IPA must be modified to respect the profile parameter in requests from Certmonger (currently ignored).

Rich profile management (use of a command-line tool or Web UI to build new profiles for use with FreeIPA, rather than the presuppose the existence of a profile) can be implemented on top of the basic profiles support, if there is demand. At a minimum, there should be tutorials and improved documentation in Dogtag for how to define certificate profiles.

Comment 1 Petr Vobornik 2015-04-07 13:11:49 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4970

Comment 2 Petr Vobornik 2015-04-14 15:29:33 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2915

Comment 3 Petr Vobornik 2015-04-14 15:45:15 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4752

Comment 6 Martin Kosek 2015-06-30 10:47:41 UTC
The functionality is there. From now on, the feature is in bugfixing mode upstream.

Comment 7 Martin Kosek 2015-07-07 12:25:40 UTC
Ticket 4970 was unlinked from this Bugzilla, it was postponed upstream:

https://fedorahosted.org/freeipa/ticket/4970#comment:10

Comment 10 Jan Cholasta 2015-07-15 11:57:49 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5074

Comment 12 Scott Poore 2015-08-04 13:02:57 UTC
Marking this one back to assigned since it is blocked by bug #1248725.

Comment 13 Scott Poore 2015-08-04 13:37:27 UTC
Moving back to ON_QA as bug #1248725 was resolved as a simple configuration issue and not a bug.

Comment 14 Jan Cholasta 2015-08-10 07:02:57 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5089

Comment 15 Jan Cholasta 2015-08-10 07:17:43 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5090

Comment 17 Jan Cholasta 2015-08-11 10:25:36 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5190

Comment 21 Jan Cholasta 2015-08-11 13:39:44 UTC
Unlinking ticket 2915, as it has been postponed upstream:

https://fedorahosted.org/freeipa/ticket/2915#comment:11

Comment 22 Jan Cholasta 2015-08-11 13:50:29 UTC
Also unlinking ticket 5089, it has not been fixed upstream yet and it is not critical for this RFE.

Comment 29 Scott Poore 2015-08-25 21:37:57 UTC
Verified.

Version ::

ipa-server-4.2.0-5.el7.x86_64

Results ::

[root@master /]# ipa help certprofile
Manage Certificate Profiles

Certificate Profiles are used by Certificate Authority (CA) in the signing of
certificates to determine if a Certificate Signing Request (CSR) is acceptable,
and if so what features and extensions will be present on the certificate.

The Certificate Profile format is the property-list format understood by the
Dogtag or Red Hat Certificate System CA.

PROFILE ID SYNTAX:

A Profile ID is a string without spaces or punctuation starting with a letter
and followed by a sequence of letters, digits or underscore ("_").

EXAMPLES:

  Import a profile that will not store issued certificates:
    ipa certprofile-import ShortLivedUserCert \
      --file UserCert.profile --desc "User Certificates" \
      --store=false

  Delete a certificate profile:
    ipa certprofile-del ShortLivedUserCert

  Show information about a profile:
    ipa certprofile-show ShortLivedUserCert

  Save profile configuration to a file:
    ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg

  Search for profiles that do not store certificates:
    ipa certprofile-find --store=false

PROFILE CONFIGURATION FORMAT:

The profile configuration format is the raw property-list format
used by Dogtag Certificate System.  The XML format is not supported.

The following restrictions apply to profiles managed by FreeIPA:

- When importing a profile the "profileId" field, if present, must
  match the ID given on the command line.

- The "classId" field must be set to "caEnrollImpl"

- The "auth.instance_id" field must be set to "raCertAuth"

- The "certReqInputImpl" input class and "certOutputImpl" output
  class must be used.

Topic commands:
  certprofile-del     Delete a Certificate Profile.
  certprofile-find    Search for Certificate Profiles.
  certprofile-import  Import a Certificate Profile.
  certprofile-mod     Modify Certificate Profile configuration.
  certprofile-show    Display the properties of a Certificate Profile.

To get command help, use:
  ipa <command> --help

[root@master /]# ipa certprofile-show caIPAserviceCert --out=/tmp/caIPAserviceCert.out
----------------------------------------------------------------
Profile configuration stored in file '/tmp/caIPAserviceCert.out'
----------------------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

[root@master /]# cat /tmp/caIPAserviceCert.out
auth.instance_id=raCertAuth
classId=caEnrollImpl
desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
enable=true
enableBy=ipara
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.list=i1,i2
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=TESTRELM.TEST
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.testrelm.test/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.testrelm.test/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
profileId=caIPAserviceCert
visible=false

[root@master /]#  cp /tmp/caIPAserviceCert.out /tmp/newcertprofile.cfg

[root@master /]# vim /tmp/newcertprofile.cfg

[root@master /]# diff /tmp/caIPAserviceCert.out /tmp/newcertprofile.cfg
3c3
< desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
---
> desc=New Profile for Testing
9c9
< name=IPA-RA Agent-Authenticated Server Certificate Enrollment
---
> name=New IPA-RA based profile for test
88c88
< policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
---
> policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
108d107
< profileId=caIPAserviceCert


[root@master /]# ipa certprofile-import new_cert_profile --file=/tmp/newcertprofile.cfg --store=True --desc="New Cert Profile"
-----------------------------------
Imported profile "new_cert_profile"
-----------------------------------
  Profile ID: new_cert_profile
  Profile description: New Cert Profile
  Store issued certificates: TRUE


[root@master /]# ipa user-add --first=testuser1 --last=lastname --email=testuser1 testuser1
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: testuser1
  Last name: lastname
  Full name: testuser1 lastname
  Display name: testuser1 lastname
  Initials: tl
  Home directory: /home/testuser1
  GECOS: testuser1 lastname
  Login shell: /bin/sh
  Kerberos principal: testuser1
  Email address: testuser1
  UID: 744800005
  GID: 744800005
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master /]# echo redhat|ipa passwd testuser1
----------------------------------------------
Changed password for "testuser1"
----------------------------------------------
[root@master /]# echo -e 'redhat\nSecret123\nSecret123' | kinit testuser1
Password for testuser1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@master /]# kdestroy -A
[root@master /]# echo Secret123|kinit admin
Password for admin: 
[root@master /]# cat > testuser1.cnf <<EOF
> [req]
> default_bits = 2048
> distinguished_name = req_distinguished_name
> req_extensions = v3_req
> prompt = no
> encrypt_key = no
> 
> [req_distinguished_name]
> commonName = testuser1
> 
> [ v3_req ]
> subjectAltName = email:testuser1
> EOF
[root@master /]# 
[root@master /]# openssl req -out testuser1.csr -new -newkey rsa:2048 -nodes -keyout testuser1.key -config testuser1.cnf
Generating a 2048 bit RSA private key
.......................+++
............................................................................+++
writing new private key to 'testuser1.key'
-----
[root@master /]# 
[root@master /]# ipa caacl-add --profilecat=all wide_open_acls --usercat=all --hostcat=all --servicecat=all
-----------------------------
Added CA ACL "wide_open_acls"
-----------------------------
  ACL name: wide_open_acls
  Enabled: TRUE
  Profile category: all
  User category: all
  Host category: all
  Service category: all
[root@master /]# ipa cert-request testuser1.csr --profile-id=new_cert_profile --principal=testuser1
  Certificate: MIIEKTCCAxGgAwIBAgIBFzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUwODI1MjEzNzEwWhcNMTcwODI1MjEzNzEwWjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAl0ZXN0dXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+DzacMuWCHnC9nfLQnv1jMES6vivcNCMHB1CIxLt3YxAg6dkWPApVGP0l13ZE83JKpM3q84WP2u1VFIeOddfEy9w2J5nqgHQTfQzIu3B8SQu5uxEKGX9DlFxhgMfLBfminx3cNvkVP8d/G6uebwEV/awdKiCIXu/1Z8QdnurAG2FfrkzQ8IpMyl+/NMcojEDHe/yHFz1PABQyBOXYcsGk3Vq+xSt4ZYMAOqAv4qPrcbinFmLcb00LbA75j2Gxj5j2lw4Yg0Ofe+OZLGLc4mPwmTlcOtEglNPVkCOG8fMrxhhA1DmvT+iOoO5oOYACAihDP65ZMriDmTmcJbro/OiLAgMBAAGjggFIMIIBRDAfBgNVHSMEGDAWgBQ8nlVXMWjm1SJaTwhvKJjYsdJ9tzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDBDB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRK+ltkEsyC12Iev1gZHnDPuUy/YDAiBgNVHREEGzAZgRd0ZXN0dXNlcjFAdGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAXx4198vOlYdbXxcCF948fPF/94dQXy0wEJmoD2KOx50OeRsw6p7H9K/dBoSwuKyVg4wgt35S12ee7aSJF+MQOphMAmdvb7RMIh65UJ6mHvAfDIefkGkDk0vDNSaVgmGKiNdnJNtw2jhduMNQsnVj0IDLdKrvAm1V82sbPK+csYheTm34U/yd/6JmUK6OQKQapodFJoX4Q/4RDBIWZYkUdoq7kSOLVuElOtpQIe1d3LsznWI6fEdslbn+NYI41S304Rt+bc9JEX9xpt61Vrlse3zPhBRZbPgAPbi95fpQ/fObMQ08PwDvSzzZXGm7rCA7tr9O0Hq96Zhdfyiztkrf9w==
  Subject: CN=testuser1,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Aug 25 21:37:10 2015 UTC
  Not After: Fri Aug 25 21:37:10 2017 UTC
  Fingerprint (MD5): 3c:f1:fb:d5:09:ee:f4:2f:c9:89:20:9e:44:84:66:86
  Fingerprint (SHA1): 0b:50:49:64:ef:ba:67:a7:9a:e2:bb:f9:54:0c:0f:10:3b:84:f6:52
  Serial number: 23
  Serial number (hex): 0x17

Comment 33 errata-xmlrpc 2015-11-19 12:01:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html


Note You need to log in before you can comment on or make changes to this bug.