Skip to content

Configuring Directory Authenticated Certificate Profiles

Jump to bottom
Endi S. Dewata edited this page Aug 2, 2023 · 18 revisions

Overview

This document describes how to configure directory-authenticated certificate profiles:

  • caDirUserCert: Dual-Use User Certificate Enrollment

  • caECDirUserCert: Dual-Use ECC User Certificate Enrollment

  • caDirUserRenewal: User Certificate Self-Renewal

It assumes that the CA is already installed.

Preparing LDAP Server

Make sure the LDAP server has a user with a password:

$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
cn: Test User
sn: User
userPassword: Secret.123
EOF

Verify using the following command:

$ ldapsearch \
    -H ldap://$HOSTNAME \
    -x \
    -D "uid=testuser,ou=People,dc=example,dc=com" \
    -w Secret.123 \
    -b "dc=example,dc=com" \
    "(objectClass=*)"

Configuring PKI Server

By default the directory-authenticated profiles (e.g. /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg) are configured with UserDirEnrollment authentication manager:

auth.instance_id=UserDirEnrollment

Add the UserDirEnrollment authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth
auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=internaldb
auths.instance.UserDirEnrollment.ldap.ldapconn.host=pki.example.com
auths.instance.UserDirEnrollment.ldap.ldapconn.port=389
auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false

Customize the profile (e.g. /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg) as needed. To simplify testing the validity range can be changed to 30 days:

policyset.userCertSet.2.default.params.range=30

Restart PKI server:

$ systemctl restart [email protected]

Enrollment

Renewal

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally