Hi Andrew,
Responses inline.
On Wed, Nov 28, 2018 at 05:35:11PM -0800, Andrew C Dingman via FreeIPA-users wrote:
Hi, all
I'm not sure the following is feasible, but IHAC who may want to use
IPA in an air-gapped network while relying on smart card authentication
using certificates from a very large, external CA. Can anyone give me
an idea of whether the following scenario is feasible, and if so,
supportable?
External certificate authority E issues user certificates and
provisions smart card tokens. (It runs RHCS, if that matters.) Inside
the isolated network, users are separately maintained in IPA domain P.
When each user is created in P, a certificate issued by E is added to
the user's entry. That certificate is used for pkinit and ssl/tls
client authentication to services in P.
So far, my understanding is that this should be feasible provided that
E is added as a trusted authority in various places, but I'm a little
fuzzy on the pkinit piece. Where it gets really problematic is dealing
with CRLs.
Yes, so far so good. That's all supported.
Because P and its relying parties are isolated, they can't use
OCSP to
check current validity of a certificate. To avoid the hassles of
distributing CRLs to all relying systems and services manually, would
it be possible to add those CRLs to the set served by the OCSP
responder in P? Obviously the responses would be signed by P rather
than E, but if P has verified the CRL on which they were based it seems
at least potentially viable.
X.509 supports delegating OCSP signing authority to 3rd parties.
But we do not support it in Dogtag or FreeIPA at this time. It
would be complex to implement.
If they are already using RHCS, they could consider using a
standalone OCSP subsystem to service the OCSP requests. I'm not
sure about the setup detail, i.e. whether regulary transporting
CRL(s) from the air-gapped CA to the OCSP subsystem is sufficient,
or whether LDAP replication must be used. I've Cc'd pki-users ML
for input from people who hopefully know more about the OCSP
subsystem than I do.
On the user certificate issuance side, they are using RHCS. So it
is straightforward to configure a profile that sets the Authority
Information Access extension to point to whatever OCSP responder
they end up using.
As currently envisioned, E would be completely unaware of the existence
of P,
Not possible. E must at least be aware of P to the extent that it
has issued an delegated OCSP signing certificate to P. Otherwise
the OCSP responses issued by P, pertaining to certificates issued by
E, cannot be trusted by clients, even if they trust P as a CA.
but P would trust certificates issued by E. If that isn't
feasible, would it make any difference if P's CA were subordinate to E?
There are some scenarios that conceptually work (e.g. P's CA
certificate, issued by E, contains the id-kp-OCSPSigning Extended
Key Usage OID). But it is irrelevant because I do not believe there
is a way to configure a Dogtag CA subsystem to service OCSP requests
on behalf of an external CA.
Thanks in advance for any guidance you can offer.
You're welcome.
Cheers,
Fraser