Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1200735

Summary: [RFE] Allow issuing certificates for user accounts
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: medium    
Version: 7.0CC: jcholast, rcritten, spoore
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-1.el7 Doc Type: Release Note
Doc Text:
See BZ#1200694 for a description
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:01:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1181710    

Description Martin Kosek 2015-03-11 10:02:53 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4938

Currently, certificates can be issued only for hosts and services. For some of the use cases, like authentication of services with SSL certificates, IdM should be able to also issue for (system users).

FreeIPA should be able to issue the certificates for both standard POSIX users and for system users (users with limited objectclasses and no password expiration policy).
Comment 1 Jan Cholasta 2015-06-04 08:37:45 UTC 
master:
https://fedorahosted.org/freeipa/changeset/c09bd35e7c081e968d40ecbd52177446f422d532
https://fedorahosted.org/freeipa/changeset/979947f7f21749b45176c39f66060564e19466e3
https://fedorahosted.org/freeipa/changeset/a931d3edc00f7578223df2afeebdf2da3dd85a68
Comment 2 Martin Kosek 2015-07-07 07:39:41 UTC 
The functionality is there. From now on, the upstream feature is in bugfixing mode.
Comment 4 Scott Poore 2015-08-25 21:42:39 UTC 
Verified.

Version ::

ipa-server-4.2.0-5.el7.x86_64

Results ::

[root@master /]# ipa help certprofile
Manage Certificate Profiles

Certificate Profiles are used by Certificate Authority (CA) in the signing of
certificates to determine if a Certificate Signing Request (CSR) is acceptable,
and if so what features and extensions will be present on the certificate.

The Certificate Profile format is the property-list format understood by the
Dogtag or Red Hat Certificate System CA.

PROFILE ID SYNTAX:

A Profile ID is a string without spaces or punctuation starting with a letter
and followed by a sequence of letters, digits or underscore ("_").

EXAMPLES:

  Import a profile that will not store issued certificates:
    ipa certprofile-import ShortLivedUserCert \
      --file UserCert.profile --desc "User Certificates" \
      --store=false

  Delete a certificate profile:
    ipa certprofile-del ShortLivedUserCert

  Show information about a profile:
    ipa certprofile-show ShortLivedUserCert

  Save profile configuration to a file:
    ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg

  Search for profiles that do not store certificates:
    ipa certprofile-find --store=false

PROFILE CONFIGURATION FORMAT:

The profile configuration format is the raw property-list format
used by Dogtag Certificate System.  The XML format is not supported.

The following restrictions apply to profiles managed by FreeIPA:

- When importing a profile the "profileId" field, if present, must
  match the ID given on the command line.

- The "classId" field must be set to "caEnrollImpl"

- The "auth.instance_id" field must be set to "raCertAuth"

- The "certReqInputImpl" input class and "certOutputImpl" output
  class must be used.

Topic commands:
  certprofile-del     Delete a Certificate Profile.
  certprofile-find    Search for Certificate Profiles.
  certprofile-import  Import a Certificate Profile.
  certprofile-mod     Modify Certificate Profile configuration.
  certprofile-show    Display the properties of a Certificate Profile.

To get command help, use:
  ipa <command> --help

[root@master /]# ipa certprofile-show caIPAserviceCert --out=/tmp/caIPAserviceCert.out
----------------------------------------------------------------
Profile configuration stored in file '/tmp/caIPAserviceCert.out'
----------------------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

[root@master /]# cat /tmp/caIPAserviceCert.out
auth.instance_id=raCertAuth
classId=caEnrollImpl
desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
enable=true
enableBy=ipara
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.list=i1,i2
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=TESTRELM.TEST
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.testrelm.test/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.testrelm.test/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
profileId=caIPAserviceCert
visible=false

[root@master /]#  cp /tmp/caIPAserviceCert.out /tmp/newcertprofile.cfg

[root@master /]# vim /tmp/newcertprofile.cfg

[root@master /]# diff /tmp/caIPAserviceCert.out /tmp/newcertprofile.cfg
3c3
< desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
---
> desc=New Profile for Testing
9c9
< name=IPA-RA Agent-Authenticated Server Certificate Enrollment
---
> name=New IPA-RA based profile for test
88c88
< policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
---
> policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
108d107
< profileId=caIPAserviceCert


[root@master /]# ipa certprofile-import new_cert_profile --file=/tmp/newcertprofile.cfg --store=True --desc="New Cert Profile"
-----------------------------------
Imported profile "new_cert_profile"
-----------------------------------
  Profile ID: new_cert_profile
  Profile description: New Cert Profile
  Store issued certificates: TRUE


[root@master /]# ipa user-add --first=testuser1 --last=lastname --email=testuser1 testuser1
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: testuser1
  Last name: lastname
  Full name: testuser1 lastname
  Display name: testuser1 lastname
  Initials: tl
  Home directory: /home/testuser1
  GECOS: testuser1 lastname
  Login shell: /bin/sh
  Kerberos principal: testuser1
  Email address: testuser1
  UID: 744800005
  GID: 744800005
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master /]# echo redhat|ipa passwd testuser1
----------------------------------------------
Changed password for "testuser1"
----------------------------------------------
[root@master /]# echo -e 'redhat\nSecret123\nSecret123' | kinit testuser1
Password for testuser1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@master /]# kdestroy -A
[root@master /]# echo Secret123|kinit admin
Password for admin: 
[root@master /]# cat > testuser1.cnf <<EOF
> [req]
> default_bits = 2048
> distinguished_name = req_distinguished_name
> req_extensions = v3_req
> prompt = no
> encrypt_key = no
> 
> [req_distinguished_name]
> commonName = testuser1
> 
> [ v3_req ]
> subjectAltName = email:testuser1
> EOF
[root@master /]# 
[root@master /]# openssl req -out testuser1.csr -new -newkey rsa:2048 -nodes -keyout testuser1.key -config testuser1.cnf
Generating a 2048 bit RSA private key
.......................+++
............................................................................+++
writing new private key to 'testuser1.key'
-----
[root@master /]# 
[root@master /]# ipa caacl-add --profilecat=all wide_open_acls --usercat=all --hostcat=all --servicecat=all
-----------------------------
Added CA ACL "wide_open_acls"
-----------------------------
  ACL name: wide_open_acls
  Enabled: TRUE
  Profile category: all
  User category: all
  Host category: all
  Service category: all
[root@master /]# ipa cert-request testuser1.csr --profile-id=new_cert_profile --principal=testuser1
  Certificate: MIIEKTCCAxGgAwIBAgIBFzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUwODI1MjEzNzEwWhcNMTcwODI1MjEzNzEwWjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAl0ZXN0dXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+DzacMuWCHnC9nfLQnv1jMES6vivcNCMHB1CIxLt3YxAg6dkWPApVGP0l13ZE83JKpM3q84WP2u1VFIeOddfEy9w2J5nqgHQTfQzIu3B8SQu5uxEKGX9DlFxhgMfLBfminx3cNvkVP8d/G6uebwEV/awdKiCIXu/1Z8QdnurAG2FfrkzQ8IpMyl+/NMcojEDHe/yHFz1PABQyBOXYcsGk3Vq+xSt4ZYMAOqAv4qPrcbinFmLcb00LbA75j2Gxj5j2lw4Yg0Ofe+OZLGLc4mPwmTlcOtEglNPVkCOG8fMrxhhA1DmvT+iOoO5oOYACAihDP65ZMriDmTmcJbro/OiLAgMBAAGjggFIMIIBRDAfBgNVHSMEGDAWgBQ8nlVXMWjm1SJaTwhvKJjYsdJ9tzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDBDB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRK+ltkEsyC12Iev1gZHnDPuUy/YDAiBgNVHREEGzAZgRd0ZXN0dXNlcjFAdGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAXx4198vOlYdbXxcCF948fPF/94dQXy0wEJmoD2KOx50OeRsw6p7H9K/dBoSwuKyVg4wgt35S12ee7aSJF+MQOphMAmdvb7RMIh65UJ6mHvAfDIefkGkDk0vDNSaVgmGKiNdnJNtw2jhduMNQsnVj0IDLdKrvAm1V82sbPK+csYheTm34U/yd/6JmUK6OQKQapodFJoX4Q/4RDBIWZYkUdoq7kSOLVuElOtpQIe1d3LsznWI6fEdslbn+NYI41S304Rt+bc9JEX9xpt61Vrlse3zPhBRZbPgAPbi95fpQ/fObMQ08PwDvSzzZXGm7rCA7tr9O0Hq96Zhdfyiztkrf9w==
  Subject: CN=testuser1,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Aug 25 21:37:10 2015 UTC
  Not After: Fri Aug 25 21:37:10 2017 UTC
  Fingerprint (MD5): 3c:f1:fb:d5:09:ee:f4:2f:c9:89:20:9e:44:84:66:86
  Fingerprint (SHA1): 0b:50:49:64:ef:ba:67:a7:9a:e2:bb:f9:54:0c:0f:10:3b:84:f6:52
  Serial number: 23
  Serial number (hex): 0x17
Comment 5 errata-xmlrpc 2015-11-19 12:01:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html