Red Hat Security: Identity Management and Authentication
Abstract
| Goal |
Manage the Certificate Authority (CA) and the Domain Name Service (DNS) that are integrated with Identity Management. |
| Objectives |
|
| Sections |
|
| Lab |
|
Issue certificates, configure certificate-based authentication, and control certificate validity.
During IdM server installation, you have the option to use an external TLS/SSL certificate authority (CA) or the integrated CA provided as part of the product. The IdM integrated CA is a component from the upstream Dogtag Certificate System project.
The Key Recovery Authority (KRA) component from Dogtag is also used in IdM to provide vaults. You can use a vault to store, retrieve, share, and recover a secret. A secret is security-sensitive data, usually authentication credentials, that only a limited group of people or entities can access. IdM vaults are covered in a later chapter.
In an IdM topology, you can manage certificates in several ways depending on organization requirements, or administrative staff preferences.
Certmonger is a service included in the IdM CA service to manage certificates.
Certmonger tracks certificate expiration dates and warns you when their expiry time approaches.
You can manage IdM certificates through the certmonger service with the ipa-getcert command.
You can use other commands to manage certificates, such as certutil or openssl.
You can use any of the following methods to generate and sign certificates:
-
ipa-getcert Use the
ipa-getcert requestcommand to request certificates directly from the CA. This command generates a Certificate Signing Request (CSR) and sends it to the CA for signing. Certmonger tracks the resulting certificate.
Note
Certmonger can only create certificates in directories that have the SELinux cert_t type.
Use the fcontext command to ensure the file context for the directory is correct.
[user@host ~]$ semanage fcontext -a -t cert_t "/etc/httpd/certs(/.*)?"[user@host ~]$ ipa-getcert request -f /etc/httpd/certs/intranet.pem \
-k /etc/httpd/certs/intranet.key \
-K http/intranet.example.com \
-D intranet.example.com-
certutil Use the
certutilcommand to generate a Certificate Signing Request (CSR). Use theipa cert-requestcommand to submit the resulting file to your CA for signing:
[user@host ~]$ certutil -R -d ~/certdb/ \
-a -g 4096 \
-n intranet \
-s "CN=intranet, O=EXAMPLE.COM" \
> ~/intranet.csr-
openssl To generate a CSR, use the
openssl reqcommand. Submit the resulting file to your CA for signing:
[user@host ~]$ openssl req \
-out ~/intranet.csr -new \
-newkey rsa:2048 \
-nodes -sha256 \
-keyout ~/intranet.keyTo sign CSRs created with the certutil and openssl commands, use the ipa cert-request command:
[user@host ~]$ ipa cert-request intranet.csr \
--principal=host/server.example.comRenewing a certificate requires access to the existing private key.
-
ipa-getcert Red Hat IdM automatically renews certificates for the internal CA and for internal services. Use of the
ipa-getcertrequest command is the same for a renewal and for a new request. Thecertmongercommand uses any existing keys found in the-koption path. If a key is not found, then one is generated, which makes this a new request.
[user@host ~]$ ipa-getcert request -f /etc/httpd/intranet.pem \
-k /etc/httpd/intranet.key \
-K http/intranet.example.com \
-D intranet.example.com-
certutil To renew a certificate, use the
certutil -R -kcommand. The-koption specifies the type or ID of an existing key in the name service switch (NSS) database:
[user@host ~]$ certutil -R -d ~/certdb/ \
-a -g 4096 \
-k "NSS Certificate DB:intranet" \
-s "CN=intranet, O=EXAMPLE.COM" \
> ~/intranet.csr-
openssl To renew a certificate, use the
openssl reqcommand, but reference an existing private key:
[user@host ~]$ openssl req -new \
-out ~/intranet.csr \
-key ~/intranet.keyTo sign renewed CSRs with certutil and openssl, use the ipa cert-request command:
[user@host ~]$ ipa cert-request intranet.csr \
--principal=host/server.example.comWhen using an external CA, the process for revoking a certificate varies. The CA usually needs a serial number and a reason for revoking the certificate.
Whether or not a certificate has been revoked, you can remove it from an object in IdM.
Use the ipa object_type-remove-cert command, where object_type is one of user, host, or service.
Provide the content of the certificate using the --certificate option:
[user@host ~]$ ipa user-remove-cert demouser \
--certificate="..."Note
The content of the certificate must be the base64-encoded Distinguished Encoding Rules (DER) content. To generate the file from a Privacy-enhanced Mail (PEM) file, run the following command:
[user@host ~]$ openssl x509 -inform PEM \
-outform DER < cert.pem | base64 > cert.b64When IdM is installed with the internal CA, the process to revoke a certificate is a single command.
Use the ipa cert-revoke command, provide the certificate serial number, and the revocation reason.
A table of revocation reasons can be found in the References section.
[user@host ~]$ ipa cert-revoke 21 --revocation-reason=4References
Further information is available in the Managing Certificates in IdM chapter in the Red Hat Enterprise Linux 9 product documentation at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/managing_certificates_in_idm/index
