KRA Problem
by Tiago Magalhães
Hi, I installed ca and kra in the same tomcat instance, but when I try to
enroll a certificate using server-side Key generation, the following
message appears: "KRA Transport Certificate needs to be imported into the
CA nssdb for Server-Side Kegen Enrollment". Do you know how I can i fix
this?
Thanks for your attention
4 days, 8 hours
Re: Any guide on how to design custom certificate profiles for FreeIPA Dogtag?
by alexey@filimonic.net
Well, the goal is:
Make a default certificate for workstations joined FreeIPA domain (FreeIPA side) to allow them to use it as identity to authenticate against 802.1x (wired and wireless. Yes, machine auth is goal, not user) and (secondary) to protect services hosted on workstations. Possibly this should replace default FreeIPA's caIPAserviceCert.
Currently I stuck with several problems:
* Make a certificate enrolled from this template distinctive from other certificates by humans. This can be achieved by adding "legacy" V1 template name 1.3.6.1.4.1.311.20.2 (MS: szOID_ENROLL_CERTTYPE_EXTENSION).
* Add something globally unique in moment and in time to SAN, like ldap:ipaUniqueId
And several questions:
* Can I add something to SAN UPN to make logic for Windows and Linux certificates on RADIUS less distinctive.
* I want to avoid saving certificate with IPA. Should I modify default caIPAserviceCert, or it will be better to limit it to some hosts and services?
5 months, 2 weeks