Difference between revisions of "Client certificate authentication ipa"
From Asenjo
(Created page with "We can use [http://www.freeipa.org/page/V4/User_Certificates user certificates] to authenticate our ldap session. == generate user certificate for user account == Follow inst...") |
m |
||
Line 57: | Line 57: | ||
xxxxxxxxxxxxxxxxxxxxx | xxxxxxxxxxxxxxxxxxxxx | ||
</pre> | </pre> | ||
+ | |||
+ | * request the certificate (as the user self or as an admin user): | ||
+ | <pre> | ||
+ | $ ipa cert-request user10.csr --principal user10 | ||
+ | .... | ||
+ | </pre> | ||
+ | |||
+ | If everything goes according to plan, you know have a certificate coupled to the user account | ||
+ | |||
+ | <pre> | ||
+ | $ ipa user-show user10 | ||
+ | ipa: ERROR: Could not create log_dir u'/home/admin/.ipa/log' | ||
+ | User login: user10 | ||
+ | First name: ipa | ||
+ | Last name: user | ||
+ | Home directory: /home/user10 | ||
+ | Login shell: /bin/sh | ||
+ | Email address: user10@yourdomain.tld | ||
+ | UID: 1076200013 | ||
+ | GID: 1076200013 | ||
+ | Certificate: MIIEMjCCAxqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYxxxxxxxxxxxxxxxxxxxxxxxxxxxx== | ||
+ | Account disabled: False | ||
+ | Password: True | ||
+ | Member of groups: ipausers | ||
+ | Kerberos keys available: True | ||
+ | </pre> | ||
+ | |||
+ | * retrieve the certificate: | ||
+ | first we need to get the certificate's serial number. | ||
+ | |||
+ | <pre> | ||
+ | ipa cert-find | ||
+ | ... | ||
+ | Serial number (hex): 0xE | ||
+ | Serial number: 14 | ||
+ | Status: VALID | ||
+ | Subject: CN=user10,O=YOURDOMAIN.TLD | ||
+ | <pre> | ||
+ | So, number 14. | ||
+ | |||
+ | <pre> | ||
+ | ipa cert-show 14 --out user10.pem | ||
+ | </pre> | ||
+ | |||
+ | * eventually, verify certificate: | ||
+ | <pre> | ||
+ | openssl x509 -in user10.pem -noout -text | ||
+ | </pre> | ||
+ | which will give you all the certificate output on screen. |
Revision as of 00:16, 5 March 2016
We can use user certificates to authenticate our ldap session.
generate user certificate for user account
Follow instructions in this blog.
Short version:
- create csr (certificate signing request).
I usually create a new directory and name it after the name of the user/host we want to create a certificate for. For user10, create a user10 folder.
Inside this folder, create a text file user10.inf like this:
[ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "user10" [ exts ] subjectAltName=email:user10@yourdomain.tld
- generate a key:
openssl genrsa -out user10.key 2048
- generate the csr:
openssl req -new -key user10.key -out user10.csr -config user10.inf
- verify csr:
openssl req -in user10.csr -text -noout Certificate Request: Data: Version: 0 (0x0) Subject: CN=user10 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:d2:0c:44:c8:e3:8b:d7:e5:bc:b6:5d:fc:cf: xxxxx Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: email:user10@yourdomain.tld Signature Algorithm: sha1WithRSAEncryption 05:7b:a7:51:1e:28:25:8d:78:fb:d9:08:43:6d:54:51:db:10: xxxxxxxxxxxxxxxxxxxxx
- request the certificate (as the user self or as an admin user):
$ ipa cert-request user10.csr --principal user10 ....
If everything goes according to plan, you know have a certificate coupled to the user account
$ ipa user-show user10 ipa: ERROR: Could not create log_dir u'/home/admin/.ipa/log' User login: user10 First name: ipa Last name: user Home directory: /home/user10 Login shell: /bin/sh Email address: user10@yourdomain.tld UID: 1076200013 GID: 1076200013 Certificate: MIIEMjCCAxqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYxxxxxxxxxxxxxxxxxxxxxxxxxxxx== Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
- retrieve the certificate:
first we need to get the certificate's serial number.
ipa cert-find ... Serial number (hex): 0xE Serial number: 14 Status: VALID Subject: CN=user10,O=YOURDOMAIN.TLD <pre> So, number 14. <pre> ipa cert-show 14 --out user10.pem
- eventually, verify certificate:
openssl x509 -in user10.pem -noout -text
which will give you all the certificate output on screen.