Certificate management with FreeIPA and Dogtag

Show Your ID

Building Trust Relations

For your connected clients to accept the certificates created in this way, they need to trust the CA on your IPA server, where you will find the root CA in /etc/ipa/ca.crt. The method you need to import a custom CA depends entirely on the application. For example, the Firefox browser lets you store ca.crt in a specific directory. On Windows, this would be

- "%USERPROFILE%\AppData\Local\Mozilla\Certificates"
- "%USERPROFILE%\AppData\Roaming\Mozilla\Certificates"

and on Linux:

- "/usr/lib/mozilla/certificates"
- "/usr/lib64/mozilla/certificates"

On Linux systems with SELinux enabled, it is again important for the certificates directory and the contained files to have the correct cert_t context; otherwise, Firefox cannot read them. Applications such as Redis either pass the path in to ca.crt at the command line or save it in the configuration file. Today, many applications use the operating system's CA trust.

On an EL8 or Fedora Linux system, copy the ca.crt from your IPA server to the /etc/pki/ca-trust/source/anchors directory (don't forget the SELinux context) and run the update-ca-trust command as root or with sudo. Applications such as the Chrome or Chromium browser use the system's trust chain and do not need an individual configuration. On Windows, you can import your own certificates with a Group Policy or a PowerShell script.

Conclusions

FreeIPA with the integrated Dogtag services and Certmonger client greatly simplifies certificate management on the intranet. Gone are the days of local NSS databases and tedious workflows to copy requests and their responses back and forth – along with the need to convert the resulting PKS12, PEM, KEY, or CRT files somehow to the right formats. The open source toolset provides you a quick option for creating and deploying certificates for all TLS-enabled services in just a few simple steps.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Obtain certificates with acme.sh
    We take a close look at acme.sh, a lightweight client for the ACME protocol that facilitates digital certificates for secure TLS communication channels.
  • Integrating FreeIPA with Active Directory
    Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain.
  • Migration from LDAP to FreeIPA
    The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort.
  • Manage containerized setups with Ansible
    The Ansible automation tool not only controls virtual machines in cloud environments, it manages containerized setups simply and easily.
  • A REST interface for FreeIPA
    Access to the FreeIPA identity management framework is usually handled via a graphical web interface or a command-line tool, but the framework can also be queried directly via the JSON-RPC API.
comments powered by Disqus