Configuring Directory Authenticated Certificate Profiles

Overview

This document describes how to configure directory-authenticated certificate profiles:

• caDirUserCert: Dual-Use User Certificate Enrollment

• caECDirUserCert: Dual-Use ECC User Certificate Enrollment

• caDirUserRenewal: User Certificate Self-Renewal

Prerequisites

Make sure the LDAP server has users for authentication with passwords, for example:

$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: ou=People,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
cn: Test User
sn: User
userPassword: Secret.123
EOF

Verify using the following command:

$ ldapsearch \
    -H ldap://$HOSTNAME \
    -x \
    -D "uid=testuser,ou=People,dc=example,dc=com" \
    -w Secret.123 \
    -b "dc=example,dc=com" \
    "(objectClass=*)"

Configuring PKI Server

By default the directory-authenticated profiles (e.g. /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg) are configured with UserDirEnrollment authentication manager:

auth.instance_id=UserDirEnrollment

Add the UserDirEnrollment authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth
auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=internaldb
auths.instance.UserDirEnrollment.ldap.ldapconn.host=pki.example.com
auths.instance.UserDirEnrollment.ldap.ldapconn.port=389
auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false

The UidPwdDirAuth plugin is already defined in the CS.cfg:

auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication

Customize the profile (e.g. /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg) as needed. To simplify testing the validity range can be changed to 30 days:

policyset.userCertSet.2.default.params.range=30

Restart PKI server:

$ systemctl restart [email protected]

Enrollment

See Certificate Enrollment with Directory Authenticated Profile.

Renewal

See Certificate Renewal with Directory-Authenticated Profile.

See Also

• Authentication Managers

• Certificate Profiles

• PKI CA Certificate CLI

• Ticket #2022: pki cli client-cert-request should support dir based auth