Bug 1570482 - Document certificate profiles creation, modification, and management for RHEL IdM
Summary: Document certificate profiles creation, modification, and management for RHEL...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Linux_Domain_Identity_Management_Guide
Version: 7.5
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Marc Muehlfeld
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1576720
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-23 04:13 UTC by Alexander Bokovoy
Modified: 2019-04-16 07:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-16 07:32:40 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Alexander Bokovoy 2018-04-23 04:13:49 UTC
RHEL documentation on IdM side is lacking a clear explanation on what OIDs are included in the default certificate profiles and how to specify them using recommended methods.

In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 24 "Managing Certificates for Users, Hosts, and Services" only covers how to issue certificates using 'ipa cert-request' without explanation of its parameters. It does not refer to certmonger documentation at all.

It doesn't provide any table with OIDs from the default profile in IPA. There is a reference to the defaults for profiles in RHCS documentation but it is very easy to miss.

Comment 4 Marc Muehlfeld 2019-03-19 12:39:00 UTC
I need some help to update the documentation.


(In reply to Alexander Bokovoy from comment #0)
> RHEL documentation on IdM side is lacking a clear explanation on what OIDs
> are included in the default certificate profiles and how to specify them
> using recommended methods.

Can you please provide me the what OIDs are included and details how to specify them?



> In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 24
> "Managing Certificates for Users, Hosts, and Services" only covers how to
> issue certificates using 'ipa cert-request' without explanation of its
> parameters. It does not refer to certmonger documentation at all.

What parameters should be explained? Only --profile-id= or all? Can you provide me the information that should be added to the docs?

To what certmonger docs should chapter 24 refer? To https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/certmongerx ?



> There is a reference to the defaults for profiles in RHCS documentation but
> it is very easy to miss.

I can move the
> For details on supported certificate profile configuration, see Defaults Reference and Constraints Reference in the Red Hat Certificate System Administration Guide.
paragraph to a new small separate section ("Creating a Certificate Profile"). Then it's easier to find.

Comment 7 Alexander Bokovoy 2019-04-10 04:05:11 UTC
The problem with documenting OIDs is that they are coming from Dogtag and while FreeIPA is using Dogtag profiles, it doesn't define them itself. So it is probably better to have that information clearly referenced in Dogtag documentation and then linked to IdM guide.

For certmoner docs reference you are linking the right chapter, thanks.

Comment 10 Marc Muehlfeld 2019-04-15 15:22:37 UTC
All previews are temporary.(In reply to Alexander Bokovoy from comment #0)
> In "Linux Domain Identity, Authentication, and Policy Guide", Chapter 24
> "Managing Certificates for Users, Hosts, and Services" only covers how to
> issue certificates using 'ipa cert-request' without explanation of its
> parameters.

Step 3 in http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-branch-mmuehlfe_1570482/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#requesting-cert-certutil explains the other available options of "ipa cert-request".


> It does not refer to certmonger documentation at all.

I've added "24.1.1.3. Requesting New Certificates Using Certmonger":
http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-branch-mmuehlfe_1570482/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#reqesting-new-certificates-using-certmonger


> It doesn't provide any table with OIDs from the default profile in IPA.
> There is a reference to the defaults for profiles in RHCS documentation but
> it is very easy to miss.

I linked the RHCS docs in the new "24.4.1. Creating a Certificate Profile" section:

http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-branch-mmuehlfe_1570482/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#creating-a-certificate-profile


Alexander, do these enhancements cover the docs updates you requested or does anything else needs to be added or explained?

Comment 11 Alexander Bokovoy 2019-04-15 15:37:21 UTC
Yes, this all now looks quite good. The only odd thing I noticed is "24.1.1.2. Requesting New Certificates Using openSSL". I think it would be good to change this to "24.1.1.2. Preparing a certificate request with multiple SAN fields using openSSL" and mention that the resulting certificate request can be used with 'ipa cert-request' command.

Comment 13 Marc Muehlfeld 2019-04-16 07:32:40 UTC
The update is now available on the Customer Portal.


Note You need to log in before you can comment on or make changes to this bug.