This is a blog with random OpenShift, Kubernetes, OpenStack and Linux related notes so I don't forget things. If you find something inaccurate or that could be fixed, please file a bug report here.

View on GitHub

Back to home

10 January 2018

Using FreeIPA SubCAs

by Juan Antonio Osorio Robles

Using lightweight CAs in FreeIPA is quite straight forward.

With an existing FreeIPA installation, you can add a sub CA with the following command:

ipa ca-add

It will ask you to name the sub CA, and specify the Common Name and will give an output such as the following:

Name: mysubca
Subject DN: CN=SUBCA
Created CA "mysubca"
  Name: mysubca
  Authority ID: 2e668254-d080-4913-aa85-e69d4e69e670
  Subject DN: CN=SUBCA
  Issuer DN: CN=Certificate Authority,O=RDOCLOUD
  Certificate: ...

The Common Name you specify is what you’ll see in the “issuer” section of the certificates you request with this sub CA. The name is a nickname of your choice, which in this case, I used mysubca.

If you try to request certificates with just this, you’ll get an error saying you don’t have sufficient privileges. To address this, we need to set the relevant ACL for the CA.

you can see what ACLs are currently available with the following command:

ipa caacl-find

The output will look like this:

1 CA ACL matched
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
Number of entries returned 1

To add the ACL for enabling service certificates for the new sub CA we do:

ipa caacl-add-ca hosts_services_caIPAserviceCert --cas=mysubca

Note that to specify the CA that you’re adding the ACL to, you need to use the nickname of the sub CA.

Finally, you can request certificates from your sub CA. to do so, you need to do:

getcert request -c IPA -I mycert -k mykey.pem -f mycert.pem -D myinstance.rdocloud -K test/myinstance.rdocloud -N 'CN=myinstance.rdocloud' -U id-kp-clientAuth -U id-kp-clientAuth -X mysubca

tags: freeipa

Back to home