Skip to content
This repository has been archived by the owner on Jan 12, 2018. It is now read-only.

Commit

Permalink
Document and add workaround for FreeIPA 4.4 support
Browse files Browse the repository at this point in the history
FreeIPA 4.4 needs additional permission "Request Certificate with
SubjectAltName" and does not support the chain argument.

Signed-off-by: Christian Heimes <[email protected]>
  • Loading branch information
tiran committed Apr 24, 2017
1 parent 24ac8c4 commit 951325b
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 6 deletions.
22 changes: 18 additions & 4 deletions README
Original file line number Diff line number Diff line change
Expand Up @@ -181,10 +181,11 @@ Run Custodia server
IPA cert request
----------------

The IPACertRequest store plugin generates or revokes certificates on the
fly. It uses a backing store to cache certs and private keys. The plugin
can create service principal automatically. However the host must
already exist.
The *IPACertRequest* store plugin generates or revokes certificates on
the fly. It uses a backing store to cache certs and private keys. The
plugin can create service principal automatically. However the host must
already exist. The *IPACertRequest* does not create host entries on the
fly.

The request ``GET /secrets/certs/HTTP/client1.ipa.example`` generates a
private key and CSR for the service ``HTTP/client1.ipa.example`` with
Expand All @@ -194,3 +195,16 @@ the same time.

Automatical renewal of revoked or expired certificates is not
implemented yet.

FreeIPA 4.4 support
~~~~~~~~~~~~~~~~~~~

The default settings and permissions are tuned for FreeIPA >= 4.5. For
4.4, the plugin must be configured with ``chain=False``. The additional
permission ``Request Certificate with SubjectAltName`` is required, too.

::

ipa privilege-add-permission \
--permissions="Request Certificate with SubjectAltName" \
"Custodia Service Certs"
14 changes: 13 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -170,9 +170,10 @@ $ custodia /etc/custodia/custodia.conf

## IPA cert request

The IPACertRequest store plugin generates or revokes certificates on the
The *IPACertRequest* store plugin generates or revokes certificates on the
fly. It uses a backing store to cache certs and private keys. The plugin can
create service principal automatically. However the host must already exist.
The *IPACertRequest* does not create host entries on the fly.

The request ```GET /secrets/certs/HTTP/client1.ipa.example``` generates a
private key and CSR for the service ```HTTP/client1.ipa.example``` with
Expand All @@ -182,3 +183,14 @@ the same time.

Automatical renewal of revoked or expired certificates is not implemented yet.

### FreeIPA 4.4 support

The default settings and permissions are tuned for FreeIPA >= 4.5. For 4.4,
the plugin must be configured with ```chain=False```. The additional
permission ```Request Certificate with SubjectAltName``` is required, too.

```
ipa privilege-add-permission \
--permissions="Request Certificate with SubjectAltName" \
"Custodia Service Certs"
```
4 changes: 3 additions & 1 deletion src/custodia/ipa/certrequest.py
Original file line number Diff line number Diff line change
Expand Up @@ -152,13 +152,15 @@ def build_csr(self, hostname, **kwargs):

# pylint: disable=arguments-differ
def _cert_request(self, pem_req, principal, **kwargs):
# FreeIPA 4.4 has no chain option, only pass kwarg when enabled
if self.plugin.chain:
kwargs['chain'] = True
with self.plugin.ipa as ipa:
return ipa.Command.cert_request(
pem_req,
profile_id=self.plugin.cert_profile,
add=self.plugin.add_principal,
principal=principal,
chain=self.plugin.chain,
**kwargs
)

Expand Down

0 comments on commit 951325b

Please sign in to comment.