Client certificate authentication ipa
From Asenjo
We can use user certificates to authenticate our ldap session.
generate user certificate for user account
Follow instructions in this blog.
Short version:
- create csr (certificate signing request).
I usually create a new directory and name it after the name of the user/host we want to create a certificate for. For user10, create a user10 folder.
Inside this folder, create a text file user10.inf like this:
[ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "user10" [ exts ] subjectAltName=email:user10@yourdomain.tld
- generate a key:
openssl genrsa -out user10.key 2048
- generate the csr:
openssl req -new -key user10.key -out user10.csr -config user10.inf
- verify csr:
openssl req -in user10.csr -text -noout Certificate Request: Data: Version: 0 (0x0) Subject: CN=user10 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:d2:0c:44:c8:e3:8b:d7:e5:bc:b6:5d:fc:cf: xxxxx Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: email:user10@yourdomain.tld Signature Algorithm: sha1WithRSAEncryption 05:7b:a7:51:1e:28:25:8d:78:fb:d9:08:43:6d:54:51:db:10: xxxxxxxxxxxxxxxxxxxxx
- request the certificate (as the user self or as an admin user):
$ ipa cert-request user10.csr --principal user10 ....
If everything goes according to plan, you know have a certificate coupled to the user account
$ ipa user-show user10 ipa: ERROR: Could not create log_dir u'/home/admin/.ipa/log' User login: user10 First name: ipa Last name: user Home directory: /home/user10 Login shell: /bin/sh Email address: user10@yourdomain.tld UID: 1076200013 GID: 1076200013 Certificate: MIIEMjCCAxqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYxxxxxxxxxxxxxxxxxxxxxxxxxxxx== Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
- retrieve the certificate:
first we need to get the certificate's serial number.
ipa cert-find ... Serial number (hex): 0xE Serial number: 14 Status: VALID Subject: CN=user10,O=YOURDOMAIN.TLD <pre> So, number 14. <pre> ipa cert-show 14 --out user10.pem
- eventually, verify certificate:
openssl x509 -in user10.pem -noout -text
which will give you all the certificate output on screen.