Discussion:
[Freeipa-users] Use of SAN's with automatic certificates in FreeIPA 4
Michael Lasevich
2014-09-12 01:25:11 UTC
Permalink
If I remember correctly, you could not use SAN (Subject Alternate Names)
for certificates in FreeIPA 3.0 - is this still the case with 4?

I have hosts that automatically receive two hostnames, a long proper name
(like "service-i-12345678") and a simpler cname based on an index for ease
of access (like "service-1") - however since OS hostname is the "proper"
one, certs would typically be issued to that name. I want my users to be
able to hit it via the simplex "index" names. Is that currently possible
(esp given that the cnames are actualy in a different DNS domain)?

Thanks,

-M
Dmitri Pal
2014-09-12 11:12:50 UTC
Permalink
Post by Michael Lasevich
If I remember correctly, you could not use SAN (Subject Alternate
Names) for certificates in FreeIPA 3.0 - is this still the case with 4?
https://fedorahosted.org/freeipa/ticket/3977 < 4.0 is able.
Post by Michael Lasevich
I have hosts that automatically receive two hostnames, a long proper
name (like "service-i-12345678") and a simpler cname based on an index
for ease of access (like "service-1") - however since OS hostname is
the "proper" one, certs would typically be issued to that name. I want
my users to be able to hit it via the simplex "index" names. Is that
currently possible (esp given that the cnames are actualy in a
different DNS domain)?
Thanks,
-M
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Michael Lasevich
2014-09-12 18:43:54 UTC
Permalink
That is awesome, but I am clearly missing some insight as to how this is
supposed to work. Can you point me to some more specific info on how to
accomplish this.

I tried using the ipa-getcert request with multiple -D's from the client,
but got :

** Insufficient access: You need to be a member of the serviceadmin role to
add services

Unless I am missing something, I should probably not add each host to
"serviceadmins" for security reasons.

So I then I tried generating a csr via openssl with SANs on the client and
then adding it using "ipa cert-request file.csr --prinicple
host/${client_hostname}@DOMAIN" from ipa server as admin (just to be sure)
and got this error (where <ALIAS> is the first SAN):

** ipa: ERROR: The service principal for subject alt name <ALIAS> in
certificate request does not exist

It sounds like I need to create service principal for each SAN, but I can't
seem to figure out how to do it (only allows me to create service
prinicpals for existing hosts)

Any help or pointers would be greatly appreciated

-M
Post by Michael Lasevich
If I remember correctly, you could not use SAN (Subject Alternate
Names) for certificates in FreeIPA 3.0 - is this still the case with 4?
https://fedorahosted.org/freeipa/ticket/3977 < 4.0 is able.
I have hosts that automatically receive two hostnames, a long proper name
(like "service-i-12345678") and a simpler cname based on an index for ease
of access (like "service-1") - however since OS hostname is the "proper"
one, certs would typically be issued to that name. I want my users to be
able to hit it via the simplex "index" names. Is that currently possible
(esp given that the cnames are actualy in a different DNS domain)?
Thanks,
-M
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Dmitri Pal
2014-09-12 19:19:47 UTC
Permalink
Post by Michael Lasevich
That is awesome, but I am clearly missing some insight as to how this
is supposed to work. Can you point me to some more specific info on
how to accomplish this.
I tried using the ipa-getcert request with multiple -D's from the
** Insufficient access: You need to be a member of the serviceadmin
role to add services
Unless I am missing something, I should probably not add each host to
"serviceadmins" for security reasons.
4.0 has a new permissions system this might yet to be another use case
that we might have overlooked.
I will leave to developers to review this situation on Monday morning.
Post by Michael Lasevich
So I then I tried generating a csr via openssl with SANs on the client
and then adding it using "ipa cert-request file.csr --prinicple
** ipa: ERROR: The service principal for subject alt name <ALIAS> in
certificate request does not exist
It sounds like I need to create service principal for each SAN, but I
can't seem to figure out how to do it (only allows me to create
service prinicpals for existing hosts)
Any help or pointers would be greatly appreciated
-M
Post by Michael Lasevich
If I remember correctly, you could not use SAN (Subject Alternate
Names) for certificates in FreeIPA 3.0 - is this still the case with 4?
https://fedorahosted.org/freeipa/ticket/3977 < 4.0 is able.
Post by Michael Lasevich
I have hosts that automatically receive two hostnames, a long
proper name (like "service-i-12345678") and a simpler cname based
on an index for ease of access (like "service-1") - however since
OS hostname is the "proper" one, certs would typically be issued
to that name. I want my users to be able to hit it via the
simplex "index" names. Is that currently possible (esp given that
the cnames are actualy in a different DNS domain)?
Thanks,
-M
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Martin Kosek
2014-09-15 14:53:21 UTC
Permalink
Post by Michael Lasevich
That is awesome, but I am clearly missing some insight as to how this is
supposed to work. Can you point me to some more specific info on how to
accomplish this.
I tried using the ipa-getcert request with multiple -D's from the client, but
** Insufficient access: You need to be a member of the serviceadmin role to
add services
Unless I am missing something, I should probably not add each host to
"serviceadmins" for security reasons.
4.0 has a new permissions system this might yet to be another use case that we
might have overlooked.
Not, not really - this part works well with 4.0.
I will leave to developers to review this situation on Monday morning.
Post by Michael Lasevich
So I then I tried generating a csr via openssl with SANs on the client and
then adding it using "ipa cert-request file.csr --prinicple
** ipa: ERROR: The service principal for subject alt name <ALIAS> in
certificate request does not exist
It sounds like I need to create service principal for each SAN, but I can't
seem to figure out how to do it (only allows me to create service prinicpals
for existing hosts)
You need to create an (unused) host for the SAN service first. After that you
can create the service. Dummy service/host entries with appropriate managedby
attribute are used to authorize which host/service.

I did a quick test with latest FreeIPA 4.0.3 and it worked for me:

# ipa-getcert request -d /etc/httpd/nssdb -n Server-Cert -K test/`hostname` -N
CN=`hostname`,O=EXAMPLE.COM -D san.host.example.test -g 2048
New signing request "20140915143901" added.

# ipa-getcert list -i 20140915143901
Number of certificates and requests being tracked: 8.
Request ID '20140915143901':
status: CA_REJECTED
ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our
request, giving up: 2100 (RPC failed at server. Insufficient access: You need
to be a member of the serviceadmin role to add services).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes


This is expected, now the authorization needs to be added:

# ipa service-add test/`hostname`
# ipa service-add test/san.host.example.test --force
# ipa service-add-host test/san.host.example.test --host `hostname`
Principal: test/***@MKOSEK-FEDORA20.TEST
Managed by: san.host.example.test, ipa.mkosek-fedora20.test
-------------------------
Number of members added 1
-------------------------


# ipa-getcert resubmit -i 20140915143901
Resubmitting "20140915143901" to "IPA".

# ipa-getcert list -i 20140915143901
Number of certificates and requests being tracked: 8.
Request ID '20140915143901':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MKOSEK-FEDORA20.TEST
subject: CN=ipa.mkosek-fedora20.test,O=MKOSEK-FEDORA20.TEST
expires: 2016-09-15 14:48:01 UTC
dns: san.host.example.test
principal name: test/ipa.mkosek-***@MKOSEK-FEDORA20.TEST
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

# certutil -L -d /etc/httpd/nssdb -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11 (0xb)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=MKOSEK-FEDORA20.TEST"
Validity:
Not Before: Mon Sep 15 14:48:01 2014
Not After : Thu Sep 15 14:48:01 2016
Subject: "CN=ipa.mkosek-fedora20.test,O=MKOSEK-FEDORA20.TEST"
...
Name: Certificate Subject Alt Name
DNS name: "san.host.example.test"
...


I also updated
http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
with couple hints how that works.

HTH,
Martin
Michael Lasevich
2014-09-15 17:52:37 UTC
Permalink
Martin, this was extremely helpful. I got it to work manually, now all I
need to do is automate the process :-)

The only thing "missing" from this is that I needed to do "ipa host-add
san.host.example.test" before your other "ipa service-add" commands . You
mentioned it, but not shown the command, so for those who will want to
follow the script, it is an essential part of the process.

Thank you so much,

-M
Post by Michael Lasevich
Post by Dmitri Pal
Post by Michael Lasevich
That is awesome, but I am clearly missing some insight as to how this is
supposed to work. Can you point me to some more specific info on how to
accomplish this.
I tried using the ipa-getcert request with multiple -D's from the
client, but
Post by Dmitri Pal
Post by Michael Lasevich
** Insufficient access: You need to be a member of the serviceadmin
role to
Post by Dmitri Pal
Post by Michael Lasevich
add services
Unless I am missing something, I should probably not add each host to
"serviceadmins" for security reasons.
4.0 has a new permissions system this might yet to be another use case
that we
Post by Dmitri Pal
might have overlooked.
Not, not really - this part works well with 4.0.
Post by Dmitri Pal
I will leave to developers to review this situation on Monday morning.
Post by Michael Lasevich
So I then I tried generating a csr via openssl with SANs on the client
and
Post by Dmitri Pal
Post by Michael Lasevich
then adding it using "ipa cert-request file.csr --prinicple
sure)
Post by Dmitri Pal
Post by Michael Lasevich
** ipa: ERROR: The service principal for subject alt name <ALIAS> in
certificate request does not exist
It sounds like I need to create service principal for each SAN, but I
can't
Post by Dmitri Pal
Post by Michael Lasevich
seem to figure out how to do it (only allows me to create service
prinicpals
Post by Dmitri Pal
Post by Michael Lasevich
for existing hosts)
You need to create an (unused) host for the SAN service first. After that you
can create the service. Dummy service/host entries with appropriate managedby
attribute are used to authorize which host/service.
# ipa-getcert request -d /etc/httpd/nssdb -n Server-Cert -K
test/`hostname` -N
CN=`hostname`,O=EXAMPLE.COM -D san.host.example.test -g 2048
New signing request "20140915143901" added.
# ipa-getcert list -i 20140915143901
Number of certificates and requests being tracked: 8.
status: CA_REJECTED
ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our
request, giving up: 2100 (RPC failed at server. Insufficient access: You need
to be a member of the serviceadmin role to add services).
stuck: yes
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert'
CA: IPA
expires: unknown
track: yes
auto-renew: yes
# ipa service-add test/`hostname`
# ipa service-add test/san.host.example.test --force
# ipa service-add-host test/san.host.example.test --host `hostname`
Managed by: san.host.example.test, ipa.mkosek-fedora20.test
-------------------------
Number of members added 1
-------------------------
# ipa-getcert resubmit -i 20140915143901
Resubmitting "20140915143901" to "IPA".
# ipa-getcert list -i 20140915143901
Number of certificates and requests being tracked: 8.
status: MONITORING
stuck: no
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MKOSEK-FEDORA20.TEST
subject: CN=ipa.mkosek-fedora20.test,O=MKOSEK-FEDORA20.TEST
expires: 2016-09-15 14:48:01 UTC
dns: san.host.example.test
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
# certutil -L -d /etc/httpd/nssdb -n Server-Cert
Version: 3 (0x2)
Serial Number: 11 (0xb)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=MKOSEK-FEDORA20.TEST"
Not Before: Mon Sep 15 14:48:01 2014
Not After : Thu Sep 15 14:48:01 2016
Subject: "CN=ipa.mkosek-fedora20.test,O=MKOSEK-FEDORA20.TEST"
...
Name: Certificate Subject Alt Name
DNS name: "san.host.example.test"
...
I also updated
http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
with couple hints how that works.
HTH,
Martin
Loading...