Client certificate authentication ipa

From Asenjo
Revision as of 00:02, 5 March 2016 by Natxo (Talk | contribs) (Created page with "We can use [http://www.freeipa.org/page/V4/User_Certificates user certificates] to authenticate our ldap session. == generate user certificate for user account == Follow inst...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

We can use user certificates to authenticate our ldap session.

generate user certificate for user account

Follow instructions in this blog.

Short version:

  • create csr (certificate signing request).

I usually create a new directory and name it after the name of the user/host we want to create a certificate for. For user10, create a user10 folder.

Inside this folder, create a text file user10.inf like this: 

[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "user10"

[ exts ]
subjectAltName=email:user10@yourdomain.tld
  • generate a key:
openssl genrsa -out user10.key 2048
  • generate the csr:
openssl req -new -key user10.key -out user10.csr -config user10.inf
  • verify csr:
 
openssl req -in user10.csr -text -noout 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=user10
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:d2:0c:44:c8:e3:8b:d7:e5:bc:b6:5d:fc:cf:
                    xxxxx
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                email:user10@yourdomain.tld
    Signature Algorithm: sha1WithRSAEncryption
         05:7b:a7:51:1e:28:25:8d:78:fb:d9:08:43:6d:54:51:db:10:
         xxxxxxxxxxxxxxxxxxxxx
Retrieved from "https://asenjo.nl/wiki/index.php?title=Client_certificate_authentication_ipa&oldid=300"