Bug 1200735 - [RFE] Allow issuing certificates for user accounts
Summary: [RFE] Allow issuing certificates for user accounts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks: 1181710
TreeView+ depends on / blocked
 
Reported: 2015-03-11 10:02 UTC by Martin Kosek
Modified: 2015-11-19 12:01 UTC (History)
3 users (show)

Fixed In Version: ipa-4.2.0-1.el7
Doc Type: Release Note
Doc Text:
See BZ#1200694 for a description
Clone Of:
Environment:
Last Closed: 2015-11-19 12:01:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Martin Kosek 2015-03-11 10:02:53 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4938

Currently, certificates can be issued only for hosts and services. For some of the use cases, like authentication of services with SSL certificates, IdM should be able to also issue for (system users).

FreeIPA should be able to issue the certificates for both standard POSIX users and for system users (users with limited objectclasses and no password expiration policy).

Comment 2 Martin Kosek 2015-07-07 07:39:41 UTC
The functionality is there. From now on, the upstream feature is in bugfixing mode.

Comment 4 Scott Poore 2015-08-25 21:42:39 UTC
Verified.

Version ::

ipa-server-4.2.0-5.el7.x86_64

Results ::

[root@master /]# ipa help certprofile
Manage Certificate Profiles

Certificate Profiles are used by Certificate Authority (CA) in the signing of
certificates to determine if a Certificate Signing Request (CSR) is acceptable,
and if so what features and extensions will be present on the certificate.

The Certificate Profile format is the property-list format understood by the
Dogtag or Red Hat Certificate System CA.

PROFILE ID SYNTAX:

A Profile ID is a string without spaces or punctuation starting with a letter
and followed by a sequence of letters, digits or underscore ("_").

EXAMPLES:

  Import a profile that will not store issued certificates:
    ipa certprofile-import ShortLivedUserCert \
      --file UserCert.profile --desc "User Certificates" \
      --store=false

  Delete a certificate profile:
    ipa certprofile-del ShortLivedUserCert

  Show information about a profile:
    ipa certprofile-show ShortLivedUserCert

  Save profile configuration to a file:
    ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg

  Search for profiles that do not store certificates:
    ipa certprofile-find --store=false

PROFILE CONFIGURATION FORMAT:

The profile configuration format is the raw property-list format
used by Dogtag Certificate System.  The XML format is not supported.

The following restrictions apply to profiles managed by FreeIPA:

- When importing a profile the "profileId" field, if present, must
  match the ID given on the command line.

- The "classId" field must be set to "caEnrollImpl"

- The "auth.instance_id" field must be set to "raCertAuth"

- The "certReqInputImpl" input class and "certOutputImpl" output
  class must be used.

Topic commands:
  certprofile-del     Delete a Certificate Profile.
  certprofile-find    Search for Certificate Profiles.
  certprofile-import  Import a Certificate Profile.
  certprofile-mod     Modify Certificate Profile configuration.
  certprofile-show    Display the properties of a Certificate Profile.

To get command help, use:
  ipa <command> --help

[root@master /]# ipa certprofile-show caIPAserviceCert --out=/tmp/caIPAserviceCert.out
----------------------------------------------------------------
Profile configuration stored in file '/tmp/caIPAserviceCert.out'
----------------------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

[root@master /]# cat /tmp/caIPAserviceCert.out
auth.instance_id=raCertAuth
classId=caEnrollImpl
desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
enable=true
enableBy=ipara
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.list=i1,i2
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=TESTRELM.TEST
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.testrelm.test/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.testrelm.test/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
profileId=caIPAserviceCert
visible=false

[root@master /]#  cp /tmp/caIPAserviceCert.out /tmp/newcertprofile.cfg

[root@master /]# vim /tmp/newcertprofile.cfg

[root@master /]# diff /tmp/caIPAserviceCert.out /tmp/newcertprofile.cfg
3c3
< desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
---
> desc=New Profile for Testing
9c9
< name=IPA-RA Agent-Authenticated Server Certificate Enrollment
---
> name=New IPA-RA based profile for test
88c88
< policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
---
> policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
108d107
< profileId=caIPAserviceCert


[root@master /]# ipa certprofile-import new_cert_profile --file=/tmp/newcertprofile.cfg --store=True --desc="New Cert Profile"
-----------------------------------
Imported profile "new_cert_profile"
-----------------------------------
  Profile ID: new_cert_profile
  Profile description: New Cert Profile
  Store issued certificates: TRUE


[root@master /]# ipa user-add --first=testuser1 --last=lastname --email=testuser1@testrelm.test testuser1
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: testuser1
  Last name: lastname
  Full name: testuser1 lastname
  Display name: testuser1 lastname
  Initials: tl
  Home directory: /home/testuser1
  GECOS: testuser1 lastname
  Login shell: /bin/sh
  Kerberos principal: testuser1@TESTRELM.TEST
  Email address: testuser1@testrelm.test
  UID: 744800005
  GID: 744800005
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master /]# echo redhat|ipa passwd testuser1
----------------------------------------------
Changed password for "testuser1@TESTRELM.TEST"
----------------------------------------------
[root@master /]# echo -e 'redhat\nSecret123\nSecret123' | kinit testuser1
Password for testuser1@TESTRELM.TEST: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@master /]# kdestroy -A
[root@master /]# echo Secret123|kinit admin
Password for admin@TESTRELM.TEST: 
[root@master /]# cat > testuser1.cnf <<EOF
> [req]
> default_bits = 2048
> distinguished_name = req_distinguished_name
> req_extensions = v3_req
> prompt = no
> encrypt_key = no
> 
> [req_distinguished_name]
> commonName = testuser1
> 
> [ v3_req ]
> subjectAltName = email:testuser1@testrelm.test
> EOF
[root@master /]# 
[root@master /]# openssl req -out testuser1.csr -new -newkey rsa:2048 -nodes -keyout testuser1.key -config testuser1.cnf
Generating a 2048 bit RSA private key
.......................+++
............................................................................+++
writing new private key to 'testuser1.key'
-----
[root@master /]# 
[root@master /]# ipa caacl-add --profilecat=all wide_open_acls --usercat=all --hostcat=all --servicecat=all
-----------------------------
Added CA ACL "wide_open_acls"
-----------------------------
  ACL name: wide_open_acls
  Enabled: TRUE
  Profile category: all
  User category: all
  Host category: all
  Service category: all
[root@master /]# ipa cert-request testuser1.csr --profile-id=new_cert_profile --principal=testuser1
  Certificate: MIIEKTCCAxGgAwIBAgIBFzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUwODI1MjEzNzEwWhcNMTcwODI1MjEzNzEwWjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAl0ZXN0dXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+DzacMuWCHnC9nfLQnv1jMES6vivcNCMHB1CIxLt3YxAg6dkWPApVGP0l13ZE83JKpM3q84WP2u1VFIeOddfEy9w2J5nqgHQTfQzIu3B8SQu5uxEKGX9DlFxhgMfLBfminx3cNvkVP8d/G6uebwEV/awdKiCIXu/1Z8QdnurAG2FfrkzQ8IpMyl+/NMcojEDHe/yHFz1PABQyBOXYcsGk3Vq+xSt4ZYMAOqAv4qPrcbinFmLcb00LbA75j2Gxj5j2lw4Yg0Ofe+OZLGLc4mPwmTlcOtEglNPVkCOG8fMrxhhA1DmvT+iOoO5oOYACAihDP65ZMriDmTmcJbro/OiLAgMBAAGjggFIMIIBRDAfBgNVHSMEGDAWgBQ8nlVXMWjm1SJaTwhvKJjYsdJ9tzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDBDB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRK+ltkEsyC12Iev1gZHnDPuUy/YDAiBgNVHREEGzAZgRd0ZXN0dXNlcjFAdGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAXx4198vOlYdbXxcCF948fPF/94dQXy0wEJmoD2KOx50OeRsw6p7H9K/dBoSwuKyVg4wgt35S12ee7aSJF+MQOphMAmdvb7RMIh65UJ6mHvAfDIefkGkDk0vDNSaVgmGKiNdnJNtw2jhduMNQsnVj0IDLdKrvAm1V82sbPK+csYheTm34U/yd/6JmUK6OQKQapodFJoX4Q/4RDBIWZYkUdoq7kSOLVuElOtpQIe1d3LsznWI6fEdslbn+NYI41S304Rt+bc9JEX9xpt61Vrlse3zPhBRZbPgAPbi95fpQ/fObMQ08PwDvSzzZXGm7rCA7tr9O0Hq96Zhdfyiztkrf9w==
  Subject: CN=testuser1,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Aug 25 21:37:10 2015 UTC
  Not After: Fri Aug 25 21:37:10 2017 UTC
  Fingerprint (MD5): 3c:f1:fb:d5:09:ee:f4:2f:c9:89:20:9e:44:84:66:86
  Fingerprint (SHA1): 0b:50:49:64:ef:ba:67:a7:9a:e2:bb:f9:54:0c:0f:10:3b:84:f6:52
  Serial number: 23
  Serial number (hex): 0x17

Comment 5 errata-xmlrpc 2015-11-19 12:01:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html


Note You need to log in before you can comment on or make changes to this bug.