« Previous 1 2
Certificate management with FreeIPA and Dogtag
Show Your ID
Building Trust Relations
For your connected clients to accept the certificates created in this way, they need to trust the CA on your IPA server, where you will find the root CA in /etc/ipa/ca.crt
. The method you need to import a custom CA depends entirely on the application. For example, the Firefox browser lets you store ca.crt
in a specific directory. On Windows, this would be
- "%USERPROFILE%\AppData\Local\Mozilla\Certificates" - "%USERPROFILE%\AppData\Roaming\Mozilla\Certificates"
and on Linux:
- "/usr/lib/mozilla/certificates" - "/usr/lib64/mozilla/certificates"
On Linux systems with SELinux enabled, it is again important for the certificates
directory and the contained files to have the correct cert_t
context; otherwise, Firefox cannot read them. Applications such as Redis either pass the path in to ca.crt
at the command line or save it in the configuration file. Today, many applications use the operating system's CA trust.
On an EL8 or Fedora Linux system, copy the ca.crt
from your IPA server to the /etc/pki/ca-trust/source/anchors
directory (don't forget the SELinux context) and run the update-ca-trust
command as root or with sudo
. Applications such as the Chrome or Chromium browser use the system's trust chain and do not need an individual configuration. On Windows, you can import your own certificates with a Group Policy or a PowerShell script.
Conclusions
FreeIPA with the integrated Dogtag services and Certmonger client greatly simplifies certificate management on the intranet. Gone are the days of local NSS databases and tedious workflows to copy requests and their responses back and forth – along with the need to convert the resulting PKS12, PEM, KEY, or CRT files somehow to the right formats. The open source toolset provides you a quick option for creating and deploying certificates for all TLS-enabled services in just a few simple steps.
Infos
« Previous 1 2
Buy this article as PDF
(incl. VAT)