Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 24. Managing Certificates for Users, Hosts, and Services
Identity Management (IdM) supports two types of certificate authorities (CAs):
- Integrated IdM CA
- Integrated CAs can create, revoke, and issue certificates for users, hosts, and services. For more details, see Section 24.1, “Managing Certificates with the Integrated IdM CAs”.IdM supports creating lightweight sub-CAs. For more details, see Section 26.1, “Lightweight Sub-CAs”
- External CA
- An external CA is a CA other than the integrated IdM CA.Using IdM tools, you add certificates issued by these CAs to users, services, or hosts as well as remove them. For more details, see Section 24.2, “Managing Certificates Issued by External CAs”.
Each user, host, or service can have multiple certificates assigned.
Note
For more details on the supported CA configurations of the IdM server, see Section 2.3.2, “Determining What CA Configuration to Use”.
24.1. Managing Certificates with the Integrated IdM CAs
24.1.1. Requesting New Certificates for a User, Host, or Service
To request a certificate using:
- the IdM web UI, see the section called “Web UI: Requesting New Certificates”.
- the command line, see the section called “Command Line: Requesting New Certificates”.
Note that you must generate the certificate request itself with a third-party tool. The following procedures use the
certutil and openSSL utilities.
Important
Services typically run on dedicated service nodes on which the private keys are stored. Copying a service's private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the CSR on the service node.
Web UI: Requesting New Certificates
- Under the Identity tab, select the Users, Hosts, or Services subtab.
- Click the name of the user, host, or service to open its configuration page.
Figure 24.1. List of Hosts
- Click → .
- Optional: Select the issuing CA and profile ID.
- Follow the instructions on the screen for using
certutil. - Click .
Command Line: Requesting New Certificates
Request a new certificate using
certutil in standard situations - see Section 24.1.1.1, “Requesting New Certificates Using certutil”. Request a new certificate using openSSL to enable a Kerberos alias to use a host or service certificate - see Section 24.1.1.2, “Preparing a Certificate Request With Multiple SAN Fields Using OpenSSL”.
24.1.1.1. Requesting New Certificates Using certutil
- Create a temporary directory for the certificate database:
# mkdir ~/certdb/
- Create a new temporary certificate database, for instance:
# certutil -N -d ~/certdb/
- Create the certificate signing request (CSR) and redirect the output to a file. For example, to create a CSR for a 4096 bit certificate and to set the subject to CN=server.example.com,O=EXAMPLE.COM:
# certutil -R -d ~/certdb/ -a -g 4096 -s "CN=server.example.com,O=EXAMPLE.COM" -8 server.example.com > certificate_request.csr
- Submit the certificate request to the CA. For details, see Section 24.1.1.4, “Submitting a Certificate Request to the IdM CA”.
24.1.1.2. Preparing a Certificate Request With Multiple SAN Fields Using OpenSSL
- Create one or more aliases, for example test1/server.example.com, test2/server.example.com, for your Kerberos principal test/server.example.com. See Section 20.2.1, “Kerberos Principal Alias” for more details.
- In the CSR, add a subjectAltName for dnsName (server.example.com) and otherName (test2/server.example.com). To do this, configure the
openssl.conffile so that it includes the following line specifying the UPN otherName and subjectAltName:otherName=1.3.6.1.4.1.311.20.2.3;UTF8:test2/server.example.com@EXAMPLE.COM DNS.1 = server.example.com
- Create a certificate request using
openssl:openssl req -new -newkey rsa:2048 -keyout test2service.key -sha256 -nodes -out certificate_request.csr -config openssl.conf
- Submit the certificate request to the CA. For details, see Section 24.1.1.4, “Submitting a Certificate Request to the IdM CA”.
24.1.1.3. Requesting New Certificates Using Certmonger
You can use the
certmonger service to request a certificate from an IdM CA. For details, see the Requesting a CA-signed Certificate Through SCEP section in the System-level Authentication Guide.
24.1.1.4. Submitting a Certificate Request to the IdM CA
Submit the certificate request file to the CA running on the IdM server. Be sure to specify the Kerberos principal to associate with the newly-issued certificate:
# ipa cert-request certificate_request.csr --principal=host/server.example.com
The ipa cert-request command in IdM uses the following defaults:
- Certificate profile:
caIPAserviceCertTo select a custom profile, use the--profile-idoption with the ipa cert-request command.For further details about creating a custom certificate profile, see Section 24.4.1, “Creating a Certificate Profile”. - Integrated CA:
ipa(IdM root CA)To select a sub-CA, use the--caoption with the ipa cert-request command.
For further details, see the output of the ipa cert-request --help command.
24.1.2. Revoking Certificates with the Integrated IdM CAs
If you need to invalidate the certificate before its expiration date, you can revoke it. To revoke a certificate using:
- the IdM web UI, see the section called “Web UI: Revoking Certificates”
- the command line, see the section called “Command Line: Revoking Certificates”
A revoked certificate is invalid and cannot be used for authentication. All revocations are permanent, except for reason 6: Certificate Hold.
Table 24.1. Revocation Reasons
| ID | Reason | Explanation |
|---|---|---|
| 0 | Unspecified | |
| 1 | Key Compromised |
The key that issued the certificate is no longer trusted.
Possible causes: lost token, improperly accessed file.
|
| 2 | CA Compromised | The CA that issued the certificate is no longer trusted. |
| 3 | Affiliation Changed |
Possible causes:
|
| 4 | Superseded | A newer certificate has replaced the current certificate. |
| 5 | Cessation of Operation | The host or service is being decommissioned. |
| 6 | Certificate Hold | The certificate is temporarily revoked. You can restore the certificate later. |
| 8 | Remove from CRL | The certificate is not included in the certificate revocation list (CRL). |
| 9 | Privilege Withdrawn | The user, host, or service is no longer permitted to use the certificate. |
| 10 | Attribute Authority (AA) Compromise | The AA certificate is no longer trusted. |
Web UI: Revoking Certificates
To revoke a certificate:
- Open the Authentication tab, and select the Certificates subtab.
- Click the serial number of the certificate to open the certificate information page.
Figure 24.2. List of Certificates
- Click → .
- Select the reason for revoking, and click . See Table 24.1, “Revocation Reasons” for details.
Command Line: Revoking Certificates
Use the ipa cert-revoke command, and specify:
- the certificate serial number
- a number that identifies the reason for the revocation; see Table 24.1, “Revocation Reasons” for details
For example, to revoke the certificate with serial number
1032 because of reason 1: Key Compromised:
$ ipa cert-revoke 1032 --revocation-reason=1
24.1.3. Restoring Certificates with the Integrated IdM CAs
If you have revoked a certificate because of reason 6: Certificate Hold, you can restore it again. To restore a certificate using:
- the IdM web UI, see the section called “Web UI: Restoring Certificates”
- the command line, see the section called “Command Line: Restoring Certificates”
Web UI: Restoring Certificates
- Open the Authentication tab, and select the Certificates subtab.
- Click the serial number of the certificate to open the certificate information page.
Figure 24.3. List of Certificates
- Click → .
Command Line: Restoring Certificates
Use the ipa cert-remove-hold command and specify the certificate serial number. For example:
$ ipa cert-remove-hold 1032
