Difference between revisions of "Client certificate authentication ipa"
From Asenjo
(Created page with "We can use [http://www.freeipa.org/page/V4/User_Certificates user certificates] to authenticate our ldap session. == generate user certificate for user account == Follow inst...") |
m |
||
| Line 57: | Line 57: | ||
xxxxxxxxxxxxxxxxxxxxx | xxxxxxxxxxxxxxxxxxxxx | ||
</pre> | </pre> | ||
| + | |||
| + | * request the certificate (as the user self or as an admin user): | ||
| + | <pre> | ||
| + | $ ipa cert-request user10.csr --principal user10 | ||
| + | .... | ||
| + | </pre> | ||
| + | |||
| + | If everything goes according to plan, you know have a certificate coupled to the user account | ||
| + | |||
| + | <pre> | ||
| + | $ ipa user-show user10 | ||
| + | ipa: ERROR: Could not create log_dir u'/home/admin/.ipa/log' | ||
| + | User login: user10 | ||
| + | First name: ipa | ||
| + | Last name: user | ||
| + | Home directory: /home/user10 | ||
| + | Login shell: /bin/sh | ||
| + | Email address: user10@yourdomain.tld | ||
| + | UID: 1076200013 | ||
| + | GID: 1076200013 | ||
| + | Certificate: MIIEMjCCAxqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYxxxxxxxxxxxxxxxxxxxxxxxxxxxx== | ||
| + | Account disabled: False | ||
| + | Password: True | ||
| + | Member of groups: ipausers | ||
| + | Kerberos keys available: True | ||
| + | </pre> | ||
| + | |||
| + | * retrieve the certificate: | ||
| + | first we need to get the certificate's serial number. | ||
| + | |||
| + | <pre> | ||
| + | ipa cert-find | ||
| + | ... | ||
| + | Serial number (hex): 0xE | ||
| + | Serial number: 14 | ||
| + | Status: VALID | ||
| + | Subject: CN=user10,O=YOURDOMAIN.TLD | ||
| + | <pre> | ||
| + | So, number 14. | ||
| + | |||
| + | <pre> | ||
| + | ipa cert-show 14 --out user10.pem | ||
| + | </pre> | ||
| + | |||
| + | * eventually, verify certificate: | ||
| + | <pre> | ||
| + | openssl x509 -in user10.pem -noout -text | ||
| + | </pre> | ||
| + | which will give you all the certificate output on screen. | ||
Revision as of 00:16, 5 March 2016
We can use user certificates to authenticate our ldap session.
generate user certificate for user account
Follow instructions in this blog.
Short version:
- create csr (certificate signing request).
I usually create a new directory and name it after the name of the user/host we want to create a certificate for. For user10, create a user10 folder.
Inside this folder, create a text file user10.inf like this:
[ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "user10" [ exts ] subjectAltName=email:user10@yourdomain.tld
- generate a key:
openssl genrsa -out user10.key 2048
- generate the csr:
openssl req -new -key user10.key -out user10.csr -config user10.inf
- verify csr:
openssl req -in user10.csr -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=user10
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:d2:0c:44:c8:e3:8b:d7:e5:bc:b6:5d:fc:cf:
xxxxx
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
email:user10@yourdomain.tld
Signature Algorithm: sha1WithRSAEncryption
05:7b:a7:51:1e:28:25:8d:78:fb:d9:08:43:6d:54:51:db:10:
xxxxxxxxxxxxxxxxxxxxx
- request the certificate (as the user self or as an admin user):
$ ipa cert-request user10.csr --principal user10 ....
If everything goes according to plan, you know have a certificate coupled to the user account
$ ipa user-show user10 ipa: ERROR: Could not create log_dir u'/home/admin/.ipa/log' User login: user10 First name: ipa Last name: user Home directory: /home/user10 Login shell: /bin/sh Email address: user10@yourdomain.tld UID: 1076200013 GID: 1076200013 Certificate: MIIEMjCCAxqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYxxxxxxxxxxxxxxxxxxxxxxxxxxxx== Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
- retrieve the certificate:
first we need to get the certificate's serial number.
ipa cert-find ... Serial number (hex): 0xE Serial number: 14 Status: VALID Subject: CN=user10,O=YOURDOMAIN.TLD <pre> So, number 14. <pre> ipa cert-show 14 --out user10.pem
- eventually, verify certificate:
openssl x509 -in user10.pem -noout -text
which will give you all the certificate output on screen.
