-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring Directory Authenticated Certificate Profiles
Endi S. Dewata edited this page Jul 12, 2022
·
18 revisions
This document describes how to use directory-authenticated certificate profiles:
-
caDirUserCert: Dual-Use User Certificate Enrollment -
caECDirUserCert: Dual-Use ECC User Certificate Enrollment -
caDirUserRenewal: User Certificate Self-Renewal
It assumes that the CA is already installed.
Make sure the LDAP server has a user with a password:
$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: uid=testuser,ou=People,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: testuser cn: Test User sn: User userPassword: Secret.123 EOF
Verify using the following command:
$ ldapsearch \
-H ldap://$HOSTNAME \
-x \
-D "uid=testuser,ou=People,dc=example,dc=com" \
-w Secret.123 \
-b "dc=example,dc=com" \
"(objectClass=*)"
By default the directory-authenticated profiles (e.g. /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg) are configured with UserDirEnrollment authentication manager:
auth.instance_id=UserDirEnrollment
Add the UserDirEnrollment authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=internaldb auths.instance.UserDirEnrollment.ldap.ldapconn.host=pki.example.com auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false
Customize the profile (e.g. /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg) as needed. To simplify testing the validity range can be changed to 30 days:
policyset.userCertSet.2.default.params.range=30
Restart PKI server:
$ systemctl restart [email protected]
Create a new client NSS database if necessary:
$ pki -c Secret.123 client-init
Execute the following command to submit the enrollment request. It will prompt for the LDAP password:
$ pki -U https://$HOSTNAME:8443 -c Secret.123 client-cert-request \
--profile caDirUserCert --username testuser --password
Password: ********
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 16
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0xc
The certificate will be issued immediately.
Generate a CSR:
$ PKCS10Client -d ~/.dogtag/nssdb -p Secret.123 -a rsa -l 1024 -o testuser.csr \
-n "UID=testuser"
PKCS10Client: Debug: got token.
PKCS10Client: Debug: thread token set.
PKCS10Client: token Internal Key Storage Token logged in...
PKCS10Client: key pair generated.
PKCS10Client: pair.getPublic() called.
PKCS10Client: CertificationRequestInfo() created.
PKCS10Client: CertificationRequest created.
PKCS10Client: calling Utils.b64encode.
PKCS10Client: b64encode completes.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPEcxFJBu2lNmIS+MNaZKO43h0dIhKZWZ8wEomQc
tc9guIUGM5eFU+psj6n0XQCPMIVRe7mrzYHF8mlwAp416P5/97g9U6JOKkTXc5ia
HVE1JRhykHiQ17Lp7Y6xXxfe6xKAXDoLOPJ4fNdadtbVeIGjudWktjgwh5CQBXsA
GFP5AgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN
BgkqhkiG9w0BAQQFAAOBgQAXrm979HwcG63Z64u+aybYrfOgyWxQ4kTtCA+NKYge
HC6Z/mlb10J/wggOzrHUbE4IFyjbBo2k1FKe8zYcXIB6Ok5Z0TXueR1zKcb8hE35
o9dkH2sGJsSqMLN8NRyY5QeqOKmtaX8pm1aPhJ0wkvOYou52YqJdq6LF9KXmBGOH
hA==
-----END NEW CERTIFICATE REQUEST-----
PKCS10Client: done. Request written to file: testuser.csr
Get the request template:
$ pki ca-cert-request-profile-show caDirUserCert --output testuser.xml
Edit the request file:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
<Attributes>
<Attribute name="uid">testuser</Attribute>
<Attribute name="pwd">Secret.123</Attribute>
</Attributes>
<ProfileID>caDirUserCert</ProfileID>
<Renewal>false</Renewal>
<SerialNumber></SerialNumber>
<RemoteHost></RemoteHost>
<RemoteAddress></RemoteAddress>
<Input id="i1">
<ClassID>keyGenInputImpl</ClassID>
<Name>Key Generation</Name>
<Attribute name="cert_request_type">
<Value>pkcs10</Value>
<Descriptor>
<Syntax>keygen_request_type</Syntax>
<Description>Key Generation Request Type</Description>
</Descriptor>
</Attribute>
<Attribute name="cert_request">
<Value>
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALvbVD1U6nzYh61tjjKC24mBqeKjABpEpl5CqyrT
guX5PtHdrlOUbWOro8vNzXMWccm3IVEgJHTQyQdxenIkIGcwMXu9XlwI6zph1UaT
oJ1CRh8z2Tn5Ncg6LvOejDJg+XtKEXEOTq0qzztBXTEe9uuKYb9AKc6iSmtfM7ZO
nCZPAgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN
BgkqhkiG9w0BAQQFAAOBgQBeVpuaZ1Sr1tHznU/0xSQ3OvEd3poJ0mk44KRYFdwu
NbeZaGtvhYFwLfQH0mMOWrzvrh0a2eXWC8z51iuqvNJCHDX+rUGIYpZH8mtY3jMp
8mlDWClrcpAdmJTj0ztFggmBd0Zvl4EqPqp0SY5YYLxwEwcKXT/g8bDdS5UM68hq
QA==
-----END NEW CERTIFICATE REQUEST-----
</Value>
<Descriptor>
<Syntax>keygen_request</Syntax>
<Description>Key Generation Request</Description>
</Descriptor>
</Attribute>
</Input>
</CertEnrollmentRequest>
Submit the request:
$ pki -U https://$HOSTNAME:8443 -c Secret.123 ca-cert-request-submit testuser.xml ----------------------------- Submitted certificate request ----------------------------- Request ID: 16 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0xc
The certificate will be issued immediately.
Import the new certificate into the client’s NSS database by providing a new nickname and the serial number:
$ pki -c Secret.123 client-cert-import testuser --serial 0xc ------------------------------- Imported certificate "testuser" -------------------------------
Verify with the following command:
$ pki -c Secret.123 client-cert-find ---------------------- 2 certificate(s) found ---------------------- Serial Number: 0x1 Nickname: CA Signing Certificate - EXAMPLE Subject DN: CN=CA Signing Certificate,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Serial Number: 0xc Nickname: testuser Subject DN: UID=testuser,OU=People,DC=example,DC=com Issuer DN: CN=CA Signing Certificate,O=EXAMPLE ---------------------------- Number of entries returned 2 ----------------------------
Execute the following command to submit the renewal request. It will prompt for the LDAP password:
$ pki -U https://$HOSTNAME:8443 -c Secret.123 -n testuser client-cert-request \
--profile caDirUserRenewal --username testuser --password
Password: ********
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 23
Type: renewal
Request Status: complete
Operation Result: success
Certificate ID: 0x11
The certificate will be issued immediately.
Remove the old certificate from the client NSS database:
$ pki -c Secret.123 client-cert-del testuser ------------------------------ Removed certificate "testuser" ------------------------------
Import the new certificate into the client NSS database:
$ pki -c Secret.123 client-cert-import testuser --serial 0x11 ------------------------------- Imported certificate "testuser" -------------------------------
Verify with the following command:
$ pki -c Secret.123 client-cert-find ---------------------- 2 certificate(s) found ---------------------- Serial Number: 0x1 Nickname: CA Signing Certificate - EXAMPLE Subject DN: CN=CA Signing Certificate,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Serial Number: 0x11 Nickname: testuser Subject DN: UID=testuser,OU=People,DC=example,DC=com Issuer DN: CN=CA Signing Certificate,O=EXAMPLE ---------------------------- Number of entries returned 2 ----------------------------
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |