Client certificate authentication ipa
From Asenjo
Revision as of 00:02, 5 March 2016 by Natxo (Talk | contribs) (Created page with "We can use [http://www.freeipa.org/page/V4/User_Certificates user certificates] to authenticate our ldap session. == generate user certificate for user account == Follow inst...")
We can use user certificates to authenticate our ldap session.
generate user certificate for user account
Follow instructions in this blog.
Short version:
- create csr (certificate signing request).
I usually create a new directory and name it after the name of the user/host we want to create a certificate for. For user10, create a user10 folder.
Inside this folder, create a text file user10.inf like this:
[ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "user10" [ exts ] subjectAltName=email:user10@yourdomain.tld
- generate a key:
openssl genrsa -out user10.key 2048
- generate the csr:
openssl req -new -key user10.key -out user10.csr -config user10.inf
- verify csr:
openssl req -in user10.csr -text -noout Certificate Request: Data: Version: 0 (0x0) Subject: CN=user10 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:d2:0c:44:c8:e3:8b:d7:e5:bc:b6:5d:fc:cf: xxxxx Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: email:user10@yourdomain.tld Signature Algorithm: sha1WithRSAEncryption 05:7b:a7:51:1e:28:25:8d:78:fb:d9:08:43:6d:54:51:db:10: xxxxxxxxxxxxxxxxxxxxx