Photo by Oscar Sutton on Unsplash
Certificate management with FreeIPA and Dogtag
Show Your ID
Both internal and external services rely on encrypted communication with SSL and TLS. For external services, administrators use officially signed certificates, although Let's Encrypt is absolutely fine in many scenarios. In contrast, internal services predominantly rely on self-signed certificates, which always cause a stir with web browsers on the local area network (LAN) by generating messages such as The server's certificate is unknown .
Administrators would prefer to see a nice lock icon displayed in the browser for a trusted TLS connection – for their intranet applications, too – instead of requiring users to create an individual exception in the browser for every internal application. This also means that stricter security policies can be applied for browsers on the corporate network, preventing users from opening untrusted connections at all or from creating exceptions. Admins also want other internal services to use trusted certificates and SSL for communication.
All you need is your own certificate authority (CA) on your intranet to manage and sign certificates for the connected services. Internal computers then only need to trust that this internal root CA for all keys signed by it are identified as valid.
Dogtag [1], the open source certificate system, offers a simple approach to managing an internal CA, and it integrates seamlessly with the FreeIPA [2] user directory. FreeIPA is to Linux what Active Directory (AD) is to the Windows world. It uses the same technology with a Lightweight Directory Access Protocol (LDAP) back end and Kerberos authentication. AD and an Identity, Policy, and Audit (IPA) system can trust each other with cross-domain trusts, allowing administrators of heterogeneous networks to run a connected directory for Windows and Linux machines.
In this article, I review the basic features of
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Obtain certificates with acme.sh
We take a close look at acme.sh, a lightweight client for the ACME protocol that facilitates digital certificates for secure TLS communication channels. -
Integrating FreeIPA with Active Directory
Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain. -
Migration from LDAP to FreeIPA
The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort. -
Manage containerized setups with Ansible
The Ansible automation tool not only controls virtual machines in cloud environments, it manages containerized setups simply and easily. -
A REST interface for FreeIPA
Access to the FreeIPA identity management framework is usually handled via a graphical web interface or a command-line tool, but the framework can also be queried directly via the JSON-RPC API.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
