-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring Directory Authenticated Certificate Profiles
This document describes how to use directory-authenticated certificate profiles:
-
caDirUserCert
: Dual-Use User Certificate Enrollment -
caECDirUserCert
: Dual-Use ECC User Certificate Enrollment -
caDirUserRenewal
: User Certificate Self-Renewal
It assumes that the CA is already installed.
Make sure the LDAP server has a user with a password:
$ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: uid=testuser,ou=People,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: testuser cn: Test User sn: User userPassword: Secret.123 EOF
Verify using the following command:
$ ldapsearch -h $HOSTNAME -x -D "uid=testuser,ou=People,dc=example,dc=com" -w Secret.123 \ -b "dc=example,dc=com" "(objectClass=*)"
By default the directory-authenticated profiles (e.g. /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg
) are configured with UserDirEnrollment
authentication manager:
auth.instance_id=UserDirEnrollment
Add the UserDirEnrollment
authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
:
auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=internaldb auths.instance.UserDirEnrollment.ldap.ldapconn.host=server.example.com auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false
Customize the profile (e.g. /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg
) as needed. To simplify testing the validity range can be changed to 30 days:
policyset.userCertSet.2.default.params.range=30
Restart PKI server:
$ systemctl restart [email protected]
Create a new client NSS database if necessary:
$ pki -c Secret.123 client-init
Execute the following command to submit the enrollment request. It will prompt for the LDAP password:
$ pki -U https://$HOSTNAME:8443 -c Secret.123 client-cert-request \ --profile caDirUserCert --username testuser --password Password: ******** ----------------------------- Submitted certificate request ----------------------------- Request ID: 16 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0xc
The certificate will be issued immediately.
Generate a CSR:
$ PKCS10Client -d ~/.dogtag/nssdb -p Secret.123 -a rsa -l 1024 -o testuser.csr \ -n "UID=testuser" PKCS10Client: Debug: got token. PKCS10Client: Debug: thread token set. PKCS10Client: token Internal Key Storage Token logged in... PKCS10Client: key pair generated. PKCS10Client: pair.getPublic() called. PKCS10Client: CertificationRequestInfo() created. PKCS10Client: CertificationRequest created. PKCS10Client: calling Utils.b64encode. PKCS10Client: b64encode completes. -----BEGIN NEW CERTIFICATE REQUEST----- MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAPEcxFJBu2lNmIS+MNaZKO43h0dIhKZWZ8wEomQc tc9guIUGM5eFU+psj6n0XQCPMIVRe7mrzYHF8mlwAp416P5/97g9U6JOKkTXc5ia HVE1JRhykHiQ17Lp7Y6xXxfe6xKAXDoLOPJ4fNdadtbVeIGjudWktjgwh5CQBXsA GFP5AgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN BgkqhkiG9w0BAQQFAAOBgQAXrm979HwcG63Z64u+aybYrfOgyWxQ4kTtCA+NKYge HC6Z/mlb10J/wggOzrHUbE4IFyjbBo2k1FKe8zYcXIB6Ok5Z0TXueR1zKcb8hE35 o9dkH2sGJsSqMLN8NRyY5QeqOKmtaX8pm1aPhJ0wkvOYou52YqJdq6LF9KXmBGOH hA== -----END NEW CERTIFICATE REQUEST----- PKCS10Client: done. Request written to file: testuser.csr
Get the request template:
$ pki ca-cert-request-profile-show caDirUserCert --output testuser.xml
Edit the request file:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertEnrollmentRequest> <Attributes> <Attribute name="uid">testuser</Attribute> <Attribute name="pwd">Secret.123</Attribute> </Attributes> <ProfileID>caDirUserCert</ProfileID> <Renewal>false</Renewal> <SerialNumber></SerialNumber> <RemoteHost></RemoteHost> <RemoteAddress></RemoteAddress> <Input id="i1"> <ClassID>keyGenInputImpl</ClassID> <Name>Key Generation</Name> <Attribute name="cert_request_type"> <Value>pkcs10</Value> <Descriptor> <Syntax>keygen_request_type</Syntax> <Description>Key Generation Request Type</Description> </Descriptor> </Attribute> <Attribute name="cert_request"> <Value> -----BEGIN NEW CERTIFICATE REQUEST----- MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBALvbVD1U6nzYh61tjjKC24mBqeKjABpEpl5CqyrT guX5PtHdrlOUbWOro8vNzXMWccm3IVEgJHTQyQdxenIkIGcwMXu9XlwI6zph1UaT oJ1CRh8z2Tn5Ncg6LvOejDJg+XtKEXEOTq0qzztBXTEe9uuKYb9AKc6iSmtfM7ZO nCZPAgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN BgkqhkiG9w0BAQQFAAOBgQBeVpuaZ1Sr1tHznU/0xSQ3OvEd3poJ0mk44KRYFdwu NbeZaGtvhYFwLfQH0mMOWrzvrh0a2eXWC8z51iuqvNJCHDX+rUGIYpZH8mtY3jMp 8mlDWClrcpAdmJTj0ztFggmBd0Zvl4EqPqp0SY5YYLxwEwcKXT/g8bDdS5UM68hq QA== -----END NEW CERTIFICATE REQUEST----- </Value> <Descriptor> <Syntax>keygen_request</Syntax> <Description>Key Generation Request</Description> </Descriptor> </Attribute> </Input> </CertEnrollmentRequest>
Submit the request:
$ pki -U https://$HOSTNAME:8443 -c Secret.123 ca-cert-request-submit testuser.xml ----------------------------- Submitted certificate request ----------------------------- Request ID: 16 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0xc
The certificate will be issued immediately.
Import the new certificate into the client’s NSS database by providing a new nickname and the serial number:
$ pki -c Secret.123 client-cert-import testuser --serial 0xc ------------------------------- Imported certificate "testuser" -------------------------------
Verify with the following command:
$ pki -c Secret.123 client-cert-find ---------------------- 2 certificate(s) found ---------------------- Serial Number: 0x1 Nickname: CA Signing Certificate - EXAMPLE Subject DN: CN=CA Signing Certificate,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Serial Number: 0xc Nickname: testuser Subject DN: UID=testuser,OU=People,DC=example,DC=com Issuer DN: CN=CA Signing Certificate,O=EXAMPLE ---------------------------- Number of entries returned 2 ----------------------------
Execute the following command to submit the renewal request. It will prompt for the LDAP password:
$ pki -U https://$HOSTNAME:8443 -c Secret.123 -n testuser client-cert-request \ --profile caDirUserRenewal --username testuser --password Password: ******** ----------------------------- Submitted certificate request ----------------------------- Request ID: 23 Type: renewal Request Status: complete Operation Result: success Certificate ID: 0x11
The certificate will be issued immediately.
Remove the old certificate from the client NSS database:
$ pki -c Secret.123 client-cert-del testuser ------------------------------ Removed certificate "testuser" ------------------------------
Import the new certificate into the client NSS database:
$ pki -c Secret.123 client-cert-import testuser --serial 0x11 ------------------------------- Imported certificate "testuser" -------------------------------
Verify with the following command:
$ pki -c Secret.123 client-cert-find ---------------------- 2 certificate(s) found ---------------------- Serial Number: 0x1 Nickname: CA Signing Certificate - EXAMPLE Subject DN: CN=CA Signing Certificate,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Serial Number: 0x11 Nickname: testuser Subject DN: UID=testuser,OU=People,DC=example,DC=com Issuer DN: CN=CA Signing Certificate,O=EXAMPLE ---------------------------- Number of entries returned 2 ----------------------------
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |