[Pki-users] Re: Any guide on how to design custom certificate profiles for FreeIPA Dogtag?
On Mon, Oct 14, 2024 at 06:23:35PM -0000, alexey(a)filimonic.net wrote:
Well, the goal is:
Make a default certificate for workstations joined FreeIPA domain
(FreeIPA side) to allow them to use it as identity to authenticate
against 802.1x (wired and wireless. Yes, machine auth is goal, not
user) and (secondary) to protect services hosted on workstations.
Possibly this should replace default FreeIPA's caIPAserviceCert.
Currently I stuck with several problems:
* Make a certificate enrolled from this template distinctive from
other certificates by humans. This can be achieved by adding
"legacy" V1 template name 1.3.6.1.4.1.311.20.2 (MS:
szOID_ENROLL_CERTTYPE_EXTENSION).
We don't have a profile component specifically for adding the MS
template name extension (either v1 or v2). But you can use the
GenericExtDefault component, and specify the extension OID,
criticality, and the raw extension value.
* Add something globally unique in moment and in time to SAN, like
ldap:ipaUniqueId
This is not supported with FreeIPA, which operates as a Registration
Authority (RA) and validates CSR content against the subject
principal's LDAP entry.
That said, it would be easy to add support for this. You could
assert the UUID as a uniformResourceIdentifier SAN value, using the
`urn:uuid:<uuid-string>` embedded per
https://datatracker.ietf.org/doc/html/rfc9562#section-4. The value
would be checked against the pricipal's ipaUniqueId attribute. If
this approach meets your requirements, please file an RFE.
And several questions:
* Can I add something to SAN UPN to make logic for Windows and
Linux certificates on RADIUS less distinctive.
SAN UPN is supported and is validated against the principal entry.
* I want to avoid saving certificate with IPA. Should I modify
default caIPAserviceCert, or it will be better to limit it to some
hosts and services?
The `ipaCertProfileStoreIssued` boolean attribute controls whether
or not IPA stores the certificate in the subject principal's entry.
Cheers,
Fraser