Red Hat Bugzilla – Bug 1313679
Section 14.2.3., specify that CSRs are generated on nodes, not on IdM server
Last modified: 2016-07-29 03:23:06 EDT
Description of problem:
The current documentation explains how to generate CSRs for services, but does not mention where these are usually generated - thus where the private keys are actually stored.
The examples in fact sag "server", which might lead to the impression that the private keys are stored on the IdM an that the CSRs have to be generated on the IdM.
However, in real life the private key for a service should stay on the node where the service is actually run - and not on the IdM. Thus the CSR should also be generated on the "service node".
Version-Release number of selected component (if applicable):
I suggest to add something like the following clarification to the introduction of 14.2.3. So that the paragraph:
"The certificate request must be generated with a third-party tool such as certutil. The resulting certificate request can be submitted through the IdM web UI or command-line tools.
The service must already exist for a certificate to be requested. If the service does not yet exist, then with the command line, there is an option to create the service as part of requesting the certificate."
is extended by a paragraph along the lines of:
"The service usually runs on a dedicated service node on which the private key is stored. The private key should not be copied to the IdM, so the CSR needs to be created on the service node itself, the following certutil commands need to be executed on the service-node."
Additionally, for better clarification it might make sense to change the following code examples in 14.2.3. from "server" to "service-node" in step 1. of 22.214.171.124. and 126.96.36.199.
It is at least better than the original version. I would still have added a line saying that the certificate stays on a server different than the IdM, but this version is at least not as confusing as the original one. You can close if you want.
Thanks for the update Roland. We will have a look at this BZ and make the change.
I added an Important admonition to 17.1.1.:
Services typically run on dedicated service nodes on which the private keys are stored. Copying a service's private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the CSR on the service node, not on the IdM server.
Roland, is this okay?
Published with the latest update: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html