Client certificate authentication ipa

From Asenjo
Revision as of 00:16, 5 March 2016 by Natxo (Talk | contribs)

Jump to: navigation, search

We can use user certificates to authenticate our ldap session.

generate user certificate for user account

Follow instructions in this blog.

Short version:

  • create csr (certificate signing request).

I usually create a new directory and name it after the name of the user/host we want to create a certificate for. For user10, create a user10 folder.

Inside this folder, create a text file user10.inf like this: 

[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "user10"

[ exts ]
subjectAltName=email:user10@yourdomain.tld
  • generate a key:
openssl genrsa -out user10.key 2048
  • generate the csr:
openssl req -new -key user10.key -out user10.csr -config user10.inf
  • verify csr:
 
openssl req -in user10.csr -text -noout 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=user10
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:d2:0c:44:c8:e3:8b:d7:e5:bc:b6:5d:fc:cf:
                    xxxxx
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                email:user10@yourdomain.tld
    Signature Algorithm: sha1WithRSAEncryption
         05:7b:a7:51:1e:28:25:8d:78:fb:d9:08:43:6d:54:51:db:10:
         xxxxxxxxxxxxxxxxxxxxx
  • request the certificate (as the user self or as an admin user):
$ ipa cert-request user10.csr --principal user10 
....

If everything goes according to plan, you know have a certificate coupled to the user account 

$ ipa user-show user10
ipa: ERROR: Could not create log_dir u'/home/admin/.ipa/log'
  User login: user10
  First name: ipa
  Last name: user
  Home directory: /home/user10
  Login shell: /bin/sh
  Email address: user10@yourdomain.tld
  UID: 1076200013
  GID: 1076200013
  Certificate: MIIEMjCCAxqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
  • retrieve the certificate:

first we need to get the certificate's serial number. 

ipa cert-find
...
  Serial number (hex): 0xE
  Serial number: 14
  Status: VALID
  Subject: CN=user10,O=YOURDOMAIN.TLD
<pre>
So, number 14.

<pre> 
ipa cert-show 14 --out user10.pem
  • eventually, verify certificate:
openssl x509 -in user10.pem -noout -text

which will give you all the certificate output on screen.

Retrieved from "https://asenjo.nl/wiki/index.php?title=Client_certificate_authentication_ipa&oldid=301"